packing and sending the packets to another router
I’ve decided to gently move my blog from wordpress.com to a self-hosted wordpress… hopefuly the 2-3 readers i’ve got will follow the blog onward, to a new fresh/better start…
in a couple of days (hopefully) http://insanesecurity.info will be ready, with all the tweaks and stuff like that…
wrap-up and bad development
Filed under: is - news, project x | Tags: bad development, miniPHPBindShell, skavenger, sql injection
Leave a Comment well haven’t quite posted for a while (and I will not apologize, any other blogger does that) due to work and other projects…
no news to anybody, it’s been more than a year since I started Website Anatomy. Don’t get grumpy on the issue because for certainly it will be reopened soon… I hope…
a new version of Skavenger it’s on it’s way… no, it won’t stink (as much) as the first release because the first release was “set up” as a reminder, so I won’t forget to develop it… the same applies to the miniPHPBindShell… that’s the reason why the code sucks…
ah, yes, before I forget. About bad development.
Today I did find the most interesting (dumb) SQL Injection vulnerability. Imagine that I bypassed the authentication script (nothing fancy, the classical way) and was logged under a certain username. The next thing I note is that after a refresh/page change I get another username, which brings me to the idea that the username is stored in a variable and performs a query (the ‘ or 1=1#) on every page request… won’t point the finger because we recently got a collaboration project with them… wait till I show them the funny vulnerability… for surely it will bring some laughs…
p.s. in a couple of week I’m finalizing another project, it’s kind of a secret. But be sure it will something many will find useful, at least I hope…
keeping it real… em beta…
Filed under: random - category | Tags: browser, buffer overflow, carpet bomb, Google Chrome, vulnerability
Comments (4) I’m sure that everybody (even my mom) knows/heared about Google Chrome… it’s quite a hype out there… also few known about it’s vulnerabilities (not everybody is interested in this sort of things)… and as being the last blogger (think so) to write about Chrome (just search Google Chrome on Blogsearch and you’ll se my point)…
interested on reading more about Chrome? take a look at lifedork, and also bookmark ChromeKB…
Suspekt… » Blog Archive » MySQL and SQL Column Truncation Vulnerabilities
When user input is not checked for its length SQL Column Truncation Vulnerabilities can arise. “SQL Column Truncation Vulnerability” is the name I use to describe security problems arising from overlong input that is truncated during insertion in the database. By default MySQL will truncate strings longer than the defined maximum column width and only emit a warning. Those warnings are usually not seen by web applications and therefore not handled at all. In MySQL the sql_mode STRICT_ALL_TABLES can be activated to turn these warnings into errors but applications will run most of the time on servers that run in the default mode and even if an application uses the stricter sql_mode it should not produce this error in the first place. Therefore a length check is required.
To understand why the truncation on insert can lead to security problems imagine the following application.
* The application is a forum where new users can register
* The administrator’s name is known e.g. ‘admin’
* MySQL is used in the default mode
* There is no application restriction on the length of new user names
* The database column username is limited to 16 characters
MuWeb 0.8 Sql Injection
Filed under: how to, research - custom | Tags: muweb, sql injection
Comments (15) The other day I saw in search engine terms in my stats page (i usually look at it cause I’m trying to write posts according to what people look for when thrown over here) that someone came by searching for MuWeb 0.8 Sql Injection… for those I have a good news there is such a vulnerability… I as other people had to take some time to find out about it, because never took a look at the registration page… yep there it is situated in email input… why only there? Because there isn’t a email validation or string cleaning applied to it… (some patches clean the other strings but email not)… also the email input field had not a predefined length… yeah you can remove them, but they are trimmed in the php script…
—
‘;shutdown–
—
^^
JS Judo + XSS + CSRF = Pwnage
Filed under: (in)secure - code, how to, research - custom | Tags: csrf, js judo, xss, xss worm
Comments (3) …an excellent breeding environment for an XSS worm…
What is an XSS worm?
Wikipedia
An XSS Worm, also known as a cross site scripting virus[1], is a malicious (or sometimes non-malicious) payload that propagates among visitors of a website in the attempt to progressively infect other visitors.
Sticking to KIS (keep it simple) standards it’s a piece of code that propagates…
JS Judo?
Reuse of JS code… JS Judo – JS Judo II…. targets for JS Judoing would be frameworks like Dojo, Prototype, Jquery, mooTools, etc…
XSS?
If you don’t know what xss is, you’re in the wrong place now…
CSRF?
Same as above… wrote a couple of articles about it somewhere around here…
Gluing the pieces together+
Getting the idea and all (as a startup article) Launching XSS CSRF Based Worms On Social Networks… Also Writing A Modular Universal XSS Worm may sound interesting… but if you’re the same as me making the code propagate and have a payload it’s more than enough…
KIS?
Keeping it simple… here is what the worm should do…
—
:phase 1
after load -> get list with friends
message them (all) a link that loads (via XSS) the worm
:phase 2
payload
—
in theory it’s very simple, but in when coding the code it’s essential to understand the site structure (to know what requests to make, and how to parse them)… also some times you’ll have to grab the anti csrf token… good luck… =)
Happy Birthday
Yes today Insane Security got it’s first birthday… for me it came so quickly, just a couple of days ago noticed it… oh well, let’s do a list of articles written till now…
- The Google Saga
(first article about a couple of things I wanted to do…) - How To – Videos (The Beginning)
(had an impulse to do a series of video tutorials) - the script kiddie life – easier than yesterday
(some thoughts about the script kiddies art) - NetCat & PowerShell -> disaster
(what happens when you combine powershell with netcat) - httpOnly vs. XmlHttpRequest
(how to bypass the httpOnly cookie restriction) - Secure Php Login Script
(a rather wierd login script, but secure =)) - Website Anatomy
(a project which momentarily is suspended) - The History Of Hacking
(the documentary with the same name; source: youtube) - Proxy’s for fun and anonymity – vol. 1
(the first part of a proxy raw usage tutorial) - Proxy’s for fun and anonymity – vol. 2
(vol 2 proxy chaining) - quote: Javascript is evil
(a pretty interesting article by SirDarckCat) - rudimentary anti-x(ross)s(ite)s(cripting)
(function I use to prevent XSS) - XSS MuWeb
(MuWeb 0.8 XSS vulnerability) - Making it harder (Session Hijacking)
(a thought anti Session Hijacking) - I love CSRF (XSRF)
(how to manipulate polls with CSRF) - Windows Network Hacking via Winfingerprint
(sweet little tool inside big windows based networks) - Source code audit – PHP
(what to audit in PHP scripts) - Cmd Code Audit (Skavenger)
(code auditing tool, very poorly written… working on a newer version of it) - new fashion, new ways (or not)
(protections against CSRF) - mailbombing – a myth or a legend
(thoughts about old school mailbombing) - less spam on blogs
(common method for preventing spam) - Got new bait?
(something phishers would love) - woot free shells
(free unix shell) - Ancient History
(about a mIRC script I created, called Metalfish) - No Root For You: A Series Of Tutorials, Rants And Raves, And Other Random Nuances
(preview of the book written by Gordon Johnson) - Regenrative Tokens
(improvement of the CSRF protection) - planting crops
(about GoNullYourself) - This is plain dumb?!
(worst security camera positioning) - manual renaming…
(damn apache documentation files) - Backtrack 3 Final Released
(guess what?) - Different aproach on including files in PHP
(secure ways to include files) - WebGoat – cause everyone else is doing it!
(a J2EE insecure web application) - Enigma?
(write or download scrips?) - XdSS – cross domain site scripting
(the sexiest IE vulnerability ever) - GNY.shell
(favorite web shell) - Your temporary anonymail
(temporary email address) - miniPHPBindShell
(my first PHP based bindshell) - //Mark as valid
(a article that should have written a long time ago)
This is what I accomplished through a year… pretty weak… hopping that in a year from now gonna have something to boast about… (eof)
//Mark as valid
Filed under: (in)secure - code | Tags: authetification, login script, validation
Comments (1) If some of you remember I wrote a long time ago an article about secure login script, and entered a comment in the php code => mark as valid… well this is a tiny article on how different people mark as valid the logged in users…
Via SESSION
Also known as the preffered way…
—
$_SESSION["auth"] = 1;
$_SESSION["name"] = $list;
—
Via COOKIE
Not recommended, but safe anyway…
—
$value = $list;
$value .= “|”;
$value .= md5($passwd); //yes double md5
setCookie(“auth”, $value, 0);
—
Authentification verification
Should be included as first in every… When using session the following check would be enough…
—
if($_SESSION["auth"]!=1) {
header(“Location: inValidUser.php”) //get the fuck out of here
exit();
}
—
When cookies are used… use the following code to check for athentification:
—
$list = explode(“|”, $_COOKIE["auth"]);
foreach($list as $key => $value) {//somebody could forge a cookie
$list[$key] = mysql_real_escape_string($value); //with mysql injection
}
$handle = mysql_connect(”user”,”pass”,”mySQLHost”);
mysql_select_db(“yourdb”);
$query = mysql_query(“SELECT id0 FROM 1nside0ut WHERE
r34ln4m3=’” .$list[0]. “‘ AND md5(entryw41)=’” .$list[1].”‘”, $handle);
if(mysql_num_rows($query)!=1) {
header(“Location: inValidUser.php”) //get the fuck out of here
exit();
}
—
phew… just insert the mark as valid code in the login script… and the validation in every file…
miniPHPBindShell
Filed under: project x | Tags: bindshell, miniPHPBindShell, php
Leave a Comment miniPHPBindShell is a minimalist bindshell created in php (as it’s name says it)…
As different from other php bindshells it doesn’t use the socket library, which by default isn’t activated; thus using PHP 5 streams, which is part of PHP 5 -> should work just fine…
to note: the response carried to the client is in the CR&LF, optimal for a standard telnet client, actualy it was testet only with the windows telnet client, and puTTY (which gave some uncommon display)…
What can this shell offer me that other bindshell don’t?
Other php bindshell/reverseshell won’t help you in most cases because they just execute the command you pass, and the safe_mode_exec_dir directive being as default on, you can’t execute commands that would take you outside from the php script’s directory. This is the place where miniPHPBindShell may prove helpful, because at runtime it creates a .bat or .sh file (depending on OS dah!) and commands are added to the file via `addcom` and file being executed with `execute`.
Note: you’ll always have to issue `newcom` after running `execute`, because otherwhise the commands will be appended to the file…(bat|sh)…
example usage:
—
addcom cd C:\
addcom dir /o /b
execute
newcom
addcom cd C:\
addcom del *.tmp
execute
—
Not quite helpful? Thought so… Anyway started a project and hopefully in the near future gonna show you some decent php based bind/reverse shell…
Till then, here is the mini-tiny-smally-bindshell -> miniPHPBindShell
