Happy Birthday

Yes today Insane Security got it’s first birthday… for me it came so quickly, just a couple of days ago noticed it… oh well, let’s do a list of articles written till now…

• The Google Saga
  (first article about a couple of things I wanted to do…)
• How To – Videos (The Beginning)
  (had an impulse to do a series of video tutorials)
• the script kiddie life – easier than yesterday
  (some thoughts about the script kiddies art)
• NetCat & PowerShell -> disaster
  (what happens when you combine powershell with netcat)
• httpOnly vs. XmlHttpRequest
  (how to bypass the httpOnly cookie restriction)
• Secure Php Login Script
  (a rather wierd login script, but secure =))
• Website Anatomy
  (a project which momentarily is suspended)
• The History Of Hacking
  (the documentary with the same name; source: youtube)
• Proxy’s for fun and anonymity – vol. 1
  (the first part of a proxy raw usage tutorial)
• Proxy’s for fun and anonymity – vol. 2
  (vol 2 proxy chaining)
• quote: Javascript is evil
  (a pretty interesting article by SirDarckCat)
• rudimentary anti-x(ross)s(ite)s(cripting)
  (function I use to prevent XSS)
• XSS MuWeb
  (MuWeb 0.8 XSS vulnerability)
• Making it harder (Session Hijacking)
  (a thought anti Session Hijacking)
• I love CSRF (XSRF)
  (how to manipulate polls with CSRF)
• Windows Network Hacking via Winfingerprint
  (sweet little tool inside big windows based networks)
• Source code audit – PHP
  (what to audit in PHP scripts)
• Cmd Code Audit (Skavenger)
  (code auditing tool, very poorly written… working on a newer version of it)
• new fashion, new ways (or not)
  (protections against CSRF)
• mailbombing – a myth or a legend
  (thoughts about old school mailbombing)
• less spam on blogs
  (common method for preventing spam)
• Got new bait?
  (something phishers would love)
• woot free shells
  (free unix shell)
• Ancient History
  (about a mIRC script I created, called Metalfish)
• No Root For You: A Series Of Tutorials, Rants And Raves, And Other Random Nuances
  (preview of the book written by Gordon Johnson)
• Regenrative Tokens
  (improvement of the CSRF protection)
• planting crops
  (about GoNullYourself)
• This is plain dumb?!
  (worst security camera positioning)
• manual renaming…
  (damn apache documentation files)
• Backtrack 3 Final Released
  (guess what?)
• Different aproach on including files in PHP
  (secure ways to include files)
• WebGoat – cause everyone else is doing it!
  (a J2EE insecure web application)
• Enigma?
  (write or download scrips?)
• XdSS – cross domain site scripting
  (the sexiest IE vulnerability ever)
• GNY.shell
  (favorite web shell)
• Your temporary anonymail
  (temporary email address)
• miniPHPBindShell
  (my first PHP based bindshell)
• //Mark as valid
  (a article that should have written a long time ago)

This is what I accomplished through a year… pretty weak… hopping that in a year from now gonna have something to boast about… (eof)

//Mark as valid

If some of you remember I wrote a long time ago an article about secure login script, and entered a comment in the php code => mark as valid… well this is a tiny article on how different people mark as valid the logged in users…

Via SESSION
Also known as the preffered way…
—
$_SESSION["auth"]  = 1;
$_SESSION["name"] = $list;
—

Via COOKIE
Not recommended, but safe anyway…
—
$value = $list;
$value .= “|”;
$value .= md5($passwd); //yes double md5
setCookie(“auth”, $value, 0);
—

Authentification verification
Should be included as first in every… When using session the following check would be enough…
—
if($_SESSION["auth"]!=1) {
   header(“Location: inValidUser.php”) //get the fuck out of here
   exit();
}
—
When cookies are used… use the following code to check for athentification:
—
$list = explode(“|”, $_COOKIE["auth"]);
foreach($list as $key => $value) {//somebody could forge a cookie
   $list[$key] = mysql_real_escape_string($value); //with mysql injection
}
$handle = mysql_connect(”user”,”pass”,”mySQLHost”);
      mysql_select_db(“yourdb”);

$query = mysql_query(“SELECT id0 FROM 1nside0ut WHERE
      r34ln4m3=’” .$list[0]. “‘ AND md5(entryw41)=’” .$list[1].”‘”, $handle);

if(mysql_num_rows($query)!=1) {
   header(“Location: inValidUser.php”) //get the fuck out of here
   exit();
}
—
phew… just insert the mark as valid code in the login script… and the validation in every file…

miniPHPBindShell

miniPHPBindShell is a minimalist bindshell created in php (as it’s name says it)…
As different from other php bindshells it doesn’t use the socket library, which by default isn’t activated; thus using PHP 5 streams, which is part of PHP 5 -> should work just fine…

to note: the response carried to the client is in the CR&LF, optimal for a standard telnet client, actualy it was testet only with the windows telnet client, and puTTY (which gave some uncommon display)…

What can this shell offer me that other bindshell don’t?
Other php bindshell/reverseshell won’t help you in most cases because they just execute the command you pass, and the safe_mode_exec_dir directive being as default on, you can’t execute commands that would take you outside from the php script’s directory. This is the place where miniPHPBindShell may prove helpful, because at runtime it creates a .bat or .sh file (depending on OS dah!) and commands are added to the file via `addcom` and file being executed with `execute`.
Note: you’ll always have to issue `newcom` after running `execute`, because otherwhise the commands will be appended to the file…(bat|sh)…

example usage:
—
addcom cd C:\
addcom dir /o /b
execute
newcom
addcom cd C:\
addcom del *.tmp
execute
—

Not quite helpful? Thought so… Anyway started a project and hopefully in the near future gonna show you some decent php based bind/reverse shell…
Till then, here is the mini-tiny-smally-bindshell -> miniPHPBindShell

Your temporary anonymail

I don’t know if you were in those kinds of situations when you had to create multiple accounts for an online gaming/forum/website, etc. For one I sure was in that situation, and always had to create a new email address, so I could only click that f***ing validation link, even If I would never return again to the same website… also, this email validation method always brought me a new series of spam, and I could say with a 99% safety that was due to that activation schema…

Not anymore, because recently I Stumbled Upon a website which winked back at me with the following phrase:

This website provides you with disposable e-mail addresses which expire after 15 Minutes. You can read and reply to e-mails that are sent to the temporary e-mail address within the given time frame.

And it’s for real… online back at GuerrillaMail…

GNY.shell

After lots of work, GNY.Shell is ready to be released. It is based on Storm7Shell. GNY.Shell offers many new features, with a few listed below:
> Added precompiled VMSplice Exploit
> Added IP:Port and PHP Proxy generation
> Removed all images (fewer entries in access logs)
> Added various scripts and loads more features
> Removed some unnecessary code
> Tons more for you to go test out the shell and find ;)

More information: http://gonullyourself.org/board/showthread.php?t=395
GNY.Shell: http://gonullyourself.org/shell.txt

XdSS – cross domain site scripting

Now available in local stores near you… I’m kinda 3 days off, but just today took the time to take a look on the feeds I follow, and came across this interesting article back at F-Secure’s blog -> Internet Explorer 6 Cross-Domain Scripting Vulnerability… I bet some of you will find it very useful… Anyway you can find the PoC code at raffon.net…

If you’re too lazy to click here-and-there, here is the code
—
function win() {
   x=window.open(‘http://www.google.com’);
   setTimeout (function () {
      x.location.href = new String(“javascript:alert(document.cookie)”)
   }, 3000)
}
—

Enigma?

Now this may be interesting… Should you write your own code? … or… Download already available code?… this is a question that’s been bothering me for a while, as I think will bother others from now on (maybe)…
I’ll throw in some pros and cons about this subject… some will agree while others will not… here we go.

Downloading available code! (CMS, Blog, Guestbook, Forum, OnlineShop, etc)

Pros
• easy to install
• easy configuration
• many plug-ins
• many updates

Cons
• many updates, periodically need to check for them
• once you modded a module, you’ll have to mode it in every update
• often hard to digest code, hard to mod

Writing own code!

Pros
• you make it your way
• if you know what you’re doing you can secure it pretty well
• you update only what you use, no problems with modding
• you constantly improve your skills

Cons
• time consuming
• you make it your way – yep

I don’t know how other people are, but when it comes in scripting I usually do my own scripts… web applications only… while coming to desktop applications and client side script, I’d rather download them… because they usualy do not tend to be so complexly divided… that is, as mentioned already, my opinion… hoping to get some feedback on this issue…

WebGoat – cause everyone else is doing it!

The unzip and run insecure J2EE web application… at least under windows…

WebGoat is a deliberately insecure J2EE web application maintained by OWASP designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application. For example, in one of the lessons the user must use SQL injection to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.

http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
http://code.google.com/p/webgoat/

Different aproach on including files in PHP

A couple of days/weeks ago (don’t quite remember well) I came across Savride’s blog, where also I stumbled upon the following article Secure PHP variables $_GET, $_POST – wrapper function which was kinda hard to digest at first… to much obfuscated code in one place… it’s ok if it works for him, but for file inclusion I would rather have a different approach, a more lightweight one… instead of doing all that input verification and what more there is I use the following code… more readable, and as secure as his…
—
<?php
$files = array(“error.php”, “news.php”, “blog.php”, “download.php”);
$index = (int) $_GET["file"];
if($index>=count($files)) {
   include($files[0]);
}
else {
   include($file[$index]);
}
?>
—
Just as simple as that… could save a lot of effort to prevent rfi/lfi… won’t you agree?… It’s the developers choice here… I always try to find way to minimize my code while keeping it safe also….
Expecting just the expected -> http://www.0×000000.com/