KNOX D3: February 2013

How To Dodge iOS 6.1.2 Passcode - Vulnerability Exploited And Explained

<div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvUK1UM5cfc1wOfBBhK4Ki9Nvl2cy_RR0_K21aH-NVy-lIlUzMvvuGbmG998SuvX_ewbzgY06Y_RtniVWf0VzDIUzLJyNnlLRsMpmpJZiqP_xviVHgSxUjRHia-Zpq8N0Mk6KoA7Bf3Ts/s1600/gadget-iPhone-security.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="344" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvUK1UM5cfc1wOfBBhK4Ki9Nvl2cy_RR0_K21aH-NVy-lIlUzMvvuGbmG998SuvX_ewbzgY06Y_RtniVWf0VzDIUzLJyNnlLRsMpmpJZiqP_xviVHgSxUjRHia-Zpq8N0Mk6KoA7Bf3Ts/s400/gadget-iPhone-security.gif" width="400" /></a></div><br />Apple has been a bit bitter past a few of its iOS releases making it that much easier for iOS device users to spit out what they chew. After the release of iOS 6.1.2, we imagined Apple to have gotten on its high horse to resolve security issues that haunted iOS 6.1. Unfortunately, our dreams remain shattered. Apple has been unable to fix 3G connectivity and Exchange Calendar bugs in iOS 6.<br /><br /><a name='more'></a><br />It seems like hackers have been able to by-pass iOS's security code once again. Founder and CEO of Vulnerability Lab, Benjamin Kunz Mejri, has described the two exploits discovered in full, giving us a tutorial on how to use them for our own benefit.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCg6Saboq47wbn-h5kmn-zqauCajFNk56j23-zLVa4xu4nCW4ooPWI3868T14q-X3lNnF5rw7Dcr1h6nENS2oVzUsHU34v-coOwS3ufoJekF20FG_TMvBQUcBC7_5dhsKYkxjprm2qCwM/s1600/passcode-320x480.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCg6Saboq47wbn-h5kmn-zqauCajFNk56j23-zLVa4xu4nCW4ooPWI3868T14q-X3lNnF5rw7Dcr1h6nENS2oVzUsHU34v-coOwS3ufoJekF20FG_TMvBQUcBC7_5dhsKYkxjprm2qCwM/s400/passcode-320x480.png" width="266" /></a></div><br /><a href="http://www.vulnerability-lab.com/" rel="nofollow" style="font-weight: bold;" target="_blank">Vulnerability Lab</a><b>'s </b>Benjamin Kunz Mejri posts:<br /><br /><br /><blockquote class="tr_bq"><i><tt style="background-color: transparent; border: 0px; font-size: 14px; margin: 0px; padding: 0px; vertical-align: baseline;"><span style="font-family: Arial, Helvetica, sans-serif;">A code lock bypass vulnerability via iOS as glitch is detected in the official Apple iOS v6.1 (10B143) for iPad & iPhone. </span></tt><tt style="background-color: transparent; border: 0px; font-size: 14px; margin: 0px; padding: 0px; vertical-align: baseline;"><span style="font-family: Arial, Helvetica, sans-serif;">The vulnerability allows an attacker with physical access to bypass via a glitch in the iOS kernel the main device code lock (auth). </span></tt><tt style="background-color: transparent; border: 0px; font-size: 14px; margin: 0px; padding: 0px; vertical-align: baseline;"><span style="font-family: Arial, Helvetica, sans-serif;">The vulnerability is located in the main login module of the mobile iOS device (iphone or ipad) when processing to use the screenshot function in combination with the emegerncy call and power (standby) button. The vulnerability allows the local attacker to bypass the code lock in iTunes and via USB when a black screen bug occurs. </span></tt><tt style="background-color: transparent; border: 0px; font-size: 14px; margin: 0px; padding: 0px; vertical-align: baseline;"><span style="font-family: Arial, Helvetica, sans-serif;">The vulnerability can be exploited by local attackers with physical device access without privileged iOS account or required user interaction. </span></tt><tt style="background-color: transparent; border: 0px; font-size: 14px; margin: 0px; padding: 0px; vertical-align: baseline;"><span style="font-family: Arial, Helvetica, sans-serif;">Successful exploitation of the vulnerability results in unauthorized device access and information disclosure.</span></tt></i></blockquote><div style="background-color: white; border: 0px; color: #333333; font-family: arial, helvetica, sans-serif; font-size: 15px; margin-bottom: 10px; padding: 0px; text-align: -webkit-auto; vertical-align: baseline;"><tt style="background-color: transparent; border: 0px; font-family: courier, monospace; font-size: 14px; margin: 0px; padding: 0px; vertical-align: baseline;"><br /></tt></div><br />For starters, you will be using the Emergency Call feature, the lock/sleep button and the screenshot feature. This will help you to by-pass the security code needed to access information on an iDevice.<br /><br />In the first exploit, the hacker can penetrate the iDevice while placing the emergency call, cancelling the call while holding the lock/sleep button and bang! That's it. The hacker will be able to access the iDevice without the security code.<br /><br />In the second exploit, the hacker needs to make the iPhone screen go black in order for him/her to plug in the iDevice into a computer through USB and access the phone without the PIN or security code.<br /><br /><b>You can by-pass iPhone, iPad or iPod's security by following the steps given below:</b><br /><br />1. Make sure the code lock is activated.<br /><br />2. Switch your device on by pressing the power button (top right).<br /><br />3. The iDevice will come to life and the passcode lock will be visible on the screen.<br /><br />4. Click on the Emergency Call.<br /><br />5. Dial any random Emergency number such as 911 and hit call.<br /><br />6. Disconnect the call immediately after so that the network does not connect to your dialled number.<br /><br />7. Press power button and then the home button on your device.<br /><br />8. Now, push the power button for three seconds, immediately followed by the home button and the emergency call button all at the same instance (without removing your finger off the other).<br /><br />9. Take your finger of the home button first and then the power button.<br /><br />10. The iDevice's screen, at this moment, will be black.<br /><br />11. Connect your iDevice with you computer with a USB in this mode.<br /><br />12. You will now have access to all files available in the system.<br /><br />However, this method has its limitations too and we request our readers to attempt the above hack at their own risk and for their own knowledge.<br /><br />If you have lost your iPhone, iPod or iPad, we would advice you to use the remote wipe-out feature to erase all your personal data from the iDevice before it gets into wrong hands.<br /><br />Cheers!<br /><div class="separator" style="clear: both; text-align: center;"><br /></div><b>About the Author:</b><br />This article has been written by Dr. Sindhia Javed Junejo. She is one of the core members of RHA team.</div>

How To Dodge iOS 6.1.2 Passcode - Vulnerability Exploited And Explained

Apple has been a bit bitter past a few of its iOS releases making it that much easier for iOS device users to spit out what they chew. After...

+ Read more »

Use NMAP as a Information gathering tool

<div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"></div><span style="font-family: 'Bitstream Charter', serif; font-size: medium;">Usually we use NMAP as a port scanner to find open port of web-server, But with help of this Tool we can also gather  Information about victim using NMAP script. In this tutorial we use NMAP to gather information.</span><br /><div style="margin-bottom: 0in;"><br /></div><div style="margin-bottom: 0in;"><span style="color: black;"><span style="font-family: Bitstream Charter, serif;"><span style="font-size: medium;">(1) Use NMAP to determine I.P. Address of victim:-   NMAP include two scripts in his database.</span></span></span></div><div style="margin-bottom: 0in;"><span style="color: black;"><b>      <span style="font-family: Bitstream Charter, serif;"><span style="font-size: medium;">nmap --script ip-geolocation-* host-name</span></span></b></span><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjes3iibx9qt9jOEWiQKQKGTJNYROrWJWnM06khxCYS8L2UBmdpSXiYDqHhNk0d_WVK4jQ015tBQ-DNTnOGwvyQt2L5R-kifqMpMOHXMB422HG9m8jf-HroQpQ0XB_SJZevYAm-dqmzYZZn/s1600/Information+_gathering+using+NMAP.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="nmap-as-information-gather" border="0" height="198" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjes3iibx9qt9jOEWiQKQKGTJNYROrWJWnM06khxCYS8L2UBmdpSXiYDqHhNk0d_WVK4jQ015tBQ-DNTnOGwvyQt2L5R-kifqMpMOHXMB422HG9m8jf-HroQpQ0XB_SJZevYAm-dqmzYZZn/s320/Information+_gathering+using+NMAP.jpeg" title="nmap-as-information-gather-5" width="320" /></a></div><div style="margin-bottom: 0in;"><span style="color: black;"><span style="font-family: Bitstream Charter, serif;"><span style="font-size: medium;"><br /></span></span></span></div><div style="margin-bottom: 0in;"><span style="color: black;"><span style="font-family: Bitstream Charter, serif;"><span style="font-size: medium;">As we can see that it show co-ordinate & location of our target.</span></span></span></div><div style="margin-bottom: 0in;"><br /></div><div style="margin-bottom: 0in;"><span style="color: black;"><span style="font-family: Bitstream Charter, serif;"><span style="font-size: medium;">(2)Use NMAP as Whois Tool:- Following Command is used to find whois information about victim</span></span></span></div><div style="margin-bottom: 0in;"><span style="color: black;"><b>     <span style="font-family: Bitstream Charter, serif;"><span style="font-size: medium;">nmap --script whois host-name</span></span></b></span><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgK-1KPSQdJDG1IiJniF0AhAHL6IBvsSGvjKIgYWNQzwGduENsQNTfW_3YVprrVNiGfPFQWnEu13KXOugeqT09nQei3ovv8Q2UjgpqZrRK5fPNZUcqyt_gouORe1X1bHeufTVzmndVQVfun/s1600/webaddress+of+website2.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="nmap-as-information-gather" border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgK-1KPSQdJDG1IiJniF0AhAHL6IBvsSGvjKIgYWNQzwGduENsQNTfW_3YVprrVNiGfPFQWnEu13KXOugeqT09nQei3ovv8Q2UjgpqZrRK5fPNZUcqyt_gouORe1X1bHeufTVzmndVQVfun/s320/webaddress+of+website2.jpeg" title="nmap-as-information-gather-4" width="320" /></a></div><div style="margin-bottom: 0in;"><br /></div><div style="margin-bottom: 0in;"><span style="color: black;"><span style="font-family: Bitstream Charter, serif;"><span style="font-size: medium;"></span></span></span><br /><a name='more'></a><span style="color: black;"><span style="font-family: Bitstream Charter, serif;"><span style="font-size: medium;"><br /></span></span></span></div><div style="margin-bottom: 0in;"><span style="color: black;"><span style="font-family: Bitstream Charter, serif;"><span style="font-size: medium;">(3)Use NMAP for Email Harvesting:- There are two script for email harvesting.</span></span></span></div><div style="margin-bottom: 0in;"><br /></div><ul><li><div style="margin-bottom: 0in;"><span style="color: black;"><span style="font-family: Bitstream Charter, serif;"><span style="font-size: medium;">Http-google-email</span></span></span></div></li><li><div style="margin-bottom: 0in;"><span style="color: black;"><span style="font-family: Bitstream Charter, serif;"><span style="font-size: medium;">http-email-harvesting</span></span></span></div></li></ul><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitVBjYDsQ4yazLws2tgg7a9f7IZoQZfMko8XE-gkTLskip-SNW2uW9Jc9loLx4cM-_bP8H_dhfa3sFczsgo5QuktSGQoBFYhpYLPSEZ11I0iTPHQGJxN-GaZPsUYNdq2tSUwSYuv1dROoQ/s1600/information_gatherin.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="nmap-as-information-gather" border="0" height="132" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitVBjYDsQ4yazLws2tgg7a9f7IZoQZfMko8XE-gkTLskip-SNW2uW9Jc9loLx4cM-_bP8H_dhfa3sFczsgo5QuktSGQoBFYhpYLPSEZ11I0iTPHQGJxN-GaZPsUYNdq2tSUwSYuv1dROoQ/s320/information_gatherin.jpeg" title="nmap-as-information-gather-3" width="320" /></a></div><div style="margin-bottom: 0in;"><br /></div><div style="margin-bottom: 0in;"><br /></div><div style="margin-bottom: 0in;"><span style="color: black;"><span style="font-family: Bitstream Charter, serif;"><span style="font-size: medium;">Http-email-harvesting is official repository in nmap . But if you want to use Google webs & Google Group to find Email then you should Download Http-google-email from <a href="http://seclists.org/nmap-dev/2011/q3/att-401/http-google-email.nse">here</a>.</span></span></span></div><div style="margin-bottom: 0in;"><br /></div><div style="margin-bottom: 0in;"><span style="font-family: Bitstream Charter, serif;"><span style="font-size: medium;">Use Following command to find email Address</span></span></div><div style="margin-bottom: 0in;"><span style="font-family: Bitstream Charter, serif;"><span style="font-size: medium;"><b>nmap -p80 --script http-email-harvest host-name</b></span></span></div><div style="margin-bottom: 0in;"><br /></div><div style="margin-bottom: 0in;"><br /></div><div style="margin-bottom: 0in;"><span style="font-family: Bitstream Charter, serif;"><span style="font-size: medium;">(4)Use NMAP as Brute Force DNS:- DNS recor contain useful information about website. There are many tools available for this purpose , But you can also use nmap for simple DNS Brute Force Attack.</span></span></div><div style="margin-bottom: 0in;"><br /></div><div style="margin-bottom: 0in;"><span style="font-family: Bitstream Charter, serif;"><span style="font-size: medium;">Use Following command</span></span></div><div style="margin-bottom: 0in;"><span style="color: black;"><b> <span style="font-family: Bitstream Charter, serif;"><span style="font-size: medium;">nmap -p80 --script dns-brute host-name</span></span></b></span></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnYf2REZ95ZL45xYMXF238XvKdLPOYJS8H1aXTILqfzXkyvmcys42ueOs0VqPNIYAHF-yKdCaa6ahqgeTN7u0VSR_QocZEaX9r2-7-6Z73gRCWmO4VEjUcIBYSCNM-UuTKAMomTn4ZgMAp/s1600/information_gathering+23.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="nmap-as-information-gather" border="0" height="150" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnYf2REZ95ZL45xYMXF238XvKdLPOYJS8H1aXTILqfzXkyvmcys42ueOs0VqPNIYAHF-yKdCaa6ahqgeTN7u0VSR_QocZEaX9r2-7-6Z73gRCWmO4VEjUcIBYSCNM-UuTKAMomTn4ZgMAp/s320/information_gathering+23.jpeg" title="nmap-as-information-gather-2" width="320" /></a></div><div style="margin-bottom: 0in;"><br /></div><div style="margin-bottom: 0in;"><span style="font-family: Bitstream Charter, serif;"><span style="font-size: medium;">(5)Discovering Additional Host-name:- we can find additional host which has same I.p. Address using simple nmap script. It can help us to find web-application which hosted on same I.p. Address.</span></span></div><div style="margin-bottom: 0in;"><span style="font-family: Bitstream Charter, serif;"><span style="font-size: medium;">Download this nse script from <a href="http://seclists.org/nmap-dev/2011/q3/att-401/http-reverse-ip.nse">here</a>.</span></span><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiM_mX4sbjwG4rCsd6J-OqIjzDgHhtLvJC3zRLhWNCbCkR2jUlgCFzk9QM_tbRl2_vkRWP-bLDKHrPnynXWQHoW6rVY_18n-izmejRKfCJkDFmjf-AdQ_p8jT3QQIMWo-rY3weLa5ihaki9/s1600/reverseip.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="nmap-as-information-gather" border="0" height="153" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiM_mX4sbjwG4rCsd6J-OqIjzDgHhtLvJC3zRLhWNCbCkR2jUlgCFzk9QM_tbRl2_vkRWP-bLDKHrPnynXWQHoW6rVY_18n-izmejRKfCJkDFmjf-AdQ_p8jT3QQIMWo-rY3weLa5ihaki9/s320/reverseip.png" title="nmap-as-information-gather" width="320" /></a></div><div style="margin-bottom: 0in;"><span style="font-family: Bitstream Charter, serif;"><span style="font-size: medium;"><br /></span></span></div><div style="margin-bottom: 0in;"><span style="font-family: Bitstream Charter, serif;"><span style="font-size: medium;">You can aslo use following script code</span></span></div><div style="margin-bottom: 0in;"><span style="font-family: Bitstream Charter, serif;"><span style="font-size: medium;"><b>nmap --script http-robtex-reverse-ip --script-args http-robtex-reverse-ip.host='ip'</b></span></span></div></div>

Use NMAP as a Information gathering tool

Usually we use NMAP as a port scanner to find open port of web-server, But with help of this Tool we can also gather Information about vict...

+ Read more »

How to Bypassing Filter to Traversal Attacks ?

<div dir="ltr" style="text-align: left;" trbidi="on">Bypassing Filter to Traversal Attacks<br /><br />If your initial attempts to perform a traversal attack, as described previously, are unsuccessful, this does not mean that the application is not vulnerable. Many application developers are aware of path traversal vulnerabilities and implement various kinds of input validation checks in an attempt to prevent them. However, those defenses are often flawed and can be bypassed by a skilled attacker.<br /><br />The first type of input filter commonly encountered involves checking<br /><br />whether the filename parameter contains any path traversal sequences, and if so, either rejects the request or attempts to sanitize the input to remove the sequences. This type of filter is often vulnerable to various attacks that use alternative encodings and other tricks to defeat the filter. These attacks all exploit the type of canonicalization problems faced by input validation mechanisms<br /><br />Always try path traversal sequences using both forward slashes and<br /><br />backslashes. Many input filters check for only one of these, when the file system may support both.<br /><br />Try simple URL-encoded representations of traversal sequences, using<br /><br />the following encodings. Be sure to encode every single slash and dot<br /><br />within your input:<br /><br />dot                            %2e<br /><br />forward slash           %2f<br /><br />backslash                  %5c<br /><br /><h3>Try using 16-bit Unicode–encoding:</h3><br />dot                           %u002e<br /><br />forward slash          %u2215<br /><br />backslash                %u2216<br /><br /><h3>Try double URL–encoding:</h3><br />dot                        %252e<br /><br />forward slash         %252f<br /><br />backslash                %255c<br /><br /><h3>Try overlong UTF-8 Unicode–encoding:</h3><br />dot                        %c0%2e       %e0%40%ae    %c0ae etc.<br /><br />forward slash        %c0%af       %e0%80%af      %c0%2f etc.<br /><br />backslash              %c0%5c       %c0%80%5c      etc.<br /><br />You can use the illegal Unicode payload type within Burp Intruder to generate a huge number of alternate representations of any given character, and submit this at the relevant place within your target parameter. These are representations that strictly violate the rules for Unicode representation but are nevertheless accepted by many implementations of Unicode decoders, particularly on the Windows platform.<br /><br />If the application is attempting to sanitize user input by removing traversal sequences, and does not apply this filter recursively, then it may be possible to bypass the filter by placing one sequence within another. For example:<br /><br />....//<br /><br />....\/<br /><br />..../\<br /><br />....\\<br /><br />The second type of input filter commonly encountered in defenses against path traversal attacks involves verifying whether the user-supplied filename contains a suffix (i.e., file type) or prefix (i.e., starting directory) that the application is expecting.<br /><br />Some applications check whether the user-supplied file name ends in a<br /><br />particular file type or set of file types, and reject attempts to access anything else. Sometimes this check can be subverted by placing a URL encoded null byte at the end of your requested filename, followed by a file type that the application accepts.<br /><br /><h3 style="text-align: left;">For example:</h3><div style="text-align: left;"><br />../../../../../boot.ini.jpg<br /><br />The reason this attack sometimes succeeds is that the file type check<br /><br />is implemented using an API in a managed execution environment<br /><br />in which strings are permitted to contain null characters (such as<br /><br />String.endsWith() in Java). However, when the file is actually retrieved, the application ultimately uses an API in an unmanaged environment in which strings are null-terminated and so your file name is effectively truncated to your desired value.<br /><br />A different attack against file type filtering is to use a URL-encoded newline character. Some methods of file retrieval (usually on Unix-based platforms) may effectively truncate your file name when a newline is encountered:<br /><br />../../../../../etc/passwd%0a.jpg<br /><br />Some applications attempt to control the file type being accessed by<br /><br />appending their own file type suffix to the filename supplied by the user. In this situation, either of the preceding exploits may be effective, for the same reasons.<br /><br />Some applications check whether the user-supplied file name starts with a particular subdirectory of the start directory, or even a specific file name. This check can of course be trivially bypassed as follows:<br /><br />wahh-app/images/../../../../../../../etc/passwd<br /><br />If none of the preceding attacks against input filters are successful individually, it may be that the application is implementing multiple types of filters, and so you need to combine several of these attacks simultaneously (both against traversal sequence filters and file type or directory filters). If possible, the best approach here is to try to break the problem down into separate stages. For example, if the request for<br /><br />diagram1.jpg<br /><br />is successful, but the request for<br /><br />foo/../diagram1.jpg<br /><br />fails, then try all of the possible traversal sequence bypasses until a variation on the second request is successful. If these successful traversal sequence bypasses don’t enable you to access /etc/passwd, probe whether any file type filtering is implemented and can be bypassed, by requesting<br /><br />diagram1.jpg.jpg<br /><br />Working entirely within the start directory defined by the application, try to probe to understand all of the filters being implemented, and see whether each can be bypassed individually with the techniques described.<br /><br />Of course, if you have white box access to the application, then your task is much easier, because you can systematically work through different types of input and verify conclusively what filename (if any) is actually reaching the file system. </div></div>

How to Bypassing Filter to Traversal Attacks ?

Bypassing Filter to Traversal Attacks If your initial attempts to perform a traversal attack, as described previously, are unsuccessful, thi...

+ Read more »

DOM Based XSS In AVG

<div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"><img src="https://twimg0-a.akamaihd.net/profile_images/1272438885/DOMInatrixss.png" /></div><br />Lately, i have been researching on DOM based XSS a bit, Recently i found a DOM based XSS in AVG, DOM based XSS is caused due to lack of input filtering inside client side javascripts, since most of the code is moving towards client side, therefore DOM based xss have been very common now a days, It is predicted by the experts that the DOM based xss mostly occurs in the websites that heavily rely upon javascripts.<br /><a name='more'></a><br />With that being said, let's take a look at the DOM based XSS POC:<br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiA6mhfVuxJFwNtoFqhv2jltHkiM9-rqw-98pnbB0sLy7R2_HsHvyNBcp-Dcmt7hiyQG0ZAxkovSPw-YMsKyld7p5f9n-vjNfZkN0dIILt6gYTQNrmrIf8m4yslBgED9kv8S4HLrd2MPIw/s1600/AVG.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" height="348" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiA6mhfVuxJFwNtoFqhv2jltHkiM9-rqw-98pnbB0sLy7R2_HsHvyNBcp-Dcmt7hiyQG0ZAxkovSPw-YMsKyld7p5f9n-vjNfZkN0dIILt6gYTQNrmrIf8m4yslBgED9kv8S4HLrd2MPIw/s640/AVG.png" width="577" /></a><br /><br /><br />The vulnerability is the result of lack of escaping done in "js_stdfull.js". The following is the screen shot of the vulnerable code causing the DOM based XSS:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjIabGoCleJQiab9yCez31enmHeMwrntvR5vO0m5GB06X244h0fuiShvMG2wtII5zLLOm-AO_gVD10ZHkPd4NrQTRsSTICP0L9p2Gdks9IpPrfHgYQdjH1hJU9_AZZPrTnbBc27h6wTeBE/s1600/AVG-DOM-XSS.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="77" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjIabGoCleJQiab9yCez31enmHeMwrntvR5vO0m5GB06X244h0fuiShvMG2wtII5zLLOm-AO_gVD10ZHkPd4NrQTRsSTICP0L9p2Gdks9IpPrfHgYQdjH1hJU9_AZZPrTnbBc27h6wTeBE/s640/AVG-DOM-XSS.png" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><b>Vulnerable code:</b><br /><br /> //display the correct tab based on the url (#name) var pathname = $(location).attr('href');var urlparts = pathname.split("#"); <br /><br />I would like to give full credits to <b>David Vieira-Kurz from Majorsecurity.com (@secalert)</b>, for helping me sort out the vulnerable code.<br /><br />Yet another security researcher, David Sopas also found the same issue but on the English version of the site:<br /><b><br />http://labs.davidsopas.com/2013/01/avg-vulnerable-to-dom-xss.html</b></div>

DOM Based XSS In AVG

Lately, i have been researching on DOM based XSS a bit, Recently i found a DOM based XSS in AVG, DOM based XSS is caused due to lack of inpu...

+ Read more »

Path traversal vulnerabilities Tutorial

<div dir="ltr" style="text-align: left;" trbidi="on">Path traversal vulnerabilities arise when user-controllable data is used by the application to access files and directories on the application server or other back-end file system in an unsafe way. By submitting crafted input, an attacker Exploiting Path Traversal may be able to cause arbitrary content to be read from, or written to, anywhere on the file system being accessed. This often enables an attacker to read sensitive information from the server, or overwrite sensitive files, leading ultimately to arbitrary command execution on the server.<br /><br />Consider the following example, in which an application uses a dynamic page to return static images to the client. The name of the requested image is specified in a query string parameter:<br /><br />https://wahh-app.com/scripts/GetImage.aspx?file=diagram1.jpg<br /><br />When the server processes this request, it performs the following steps:<br /><br />1. Extracts the value of the file parameter from the query string.<br /><br />2. Appends this value to the prefix C:\wahh-app\images\.<br /><br />3. Opens the file with this name.<br /><br />4. Reads the file’s contents and returns it to the client.<br /><br />The vulnerability arises because an attacker can place path traversal<br /><br />sequences into the file name in order to backtrack up from the image directory specified in step 2 and so access files from anywhere on the server. The path traversal sequence is known as “dot-dot-slash,” and a typical attack would look like this:<br /><br />https://wahh-app.com/scripts/GetImage.aspx?file=..\..\windows\repair\sam<br /><br />When the application appends the value of the file parameter to the name of the images directory, it obtains the following path:<br /><br />C:\wahh-app\images\..\..\winnt\repair\sam<br /><br />The two traversal sequences effectively step back up from the images directory to the root of the C: drive, and so the preceding path is equivalent to this: C:\winnt\repair\sam<br /><br />Hence, instead of returning an image file, the server actually returns the repair copy of the Windows SAM file. This file may be analyzed by the attacker to obtain usernames and passwords for the server operating system.<br /><br />In this simple example, the application implements no defenses to prevent path traversal attacks. However, because these attacks have been widely known about for some time, it is common to encounter applications that implement various defenses against them, often based on input validation filters. As you will see, these filters are often poorly designed and can be bypassed by a skilled attacker. </div>

Path traversal vulnerabilities Tutorial

Path traversal vulnerabilities arise when user-controllable data is used by the application to access files and directories on the applicati...

+ Read more »

Adobe Zero Day Malware - Upgrade Adobe Reader and Acrobat

<div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgfd5GvM8501E7RKiz3z-UWS3wmvIYv30VlZcXeY7fx1U7AkEEYCBaqnH7J6InmSIcXNN0aBF2Jeem__eVWISsWIbiX9RclhfpoesGVEp-7yTBd5mwc7lAl7py3cbL-GlszI04DSyYxUg/s1600/images.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="304" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgfd5GvM8501E7RKiz3z-UWS3wmvIYv30VlZcXeY7fx1U7AkEEYCBaqnH7J6InmSIcXNN0aBF2Jeem__eVWISsWIbiX9RclhfpoesGVEp-7yTBd5mwc7lAl7py3cbL-GlszI04DSyYxUg/s320/images.jpg" width="320" /></a></div><div><br /></div><div><br /></div><div>A few days ago we blogged about <a href="http://www.rafayhackingarticles.net/2013/02/adobe-zero-day-malware-stripped-by.html" rel="nofollow" target="_blank"><b>Adobe's Zero-Day Malware</b></a> affecting Adobe Reader and Acrobat. The malware was investigated on by Sophos Lab and they uncovered an ample amount of information. We reported that while Adobe was trying to fix the vulnerability, users could defend themselves by following a <a href="http://www.rafayhackingarticles.net/2013/02/adobe-zero-day-how-to-protect-yourselves.html" rel="nofollow" target="_blank"><b>few simple steps</b></a>. Well, Adobe has kept its promise and we shall fear no more. The emergency update for Adobe Reader and Acrobat have been released.<br /><br /><a name='more'></a><br /></div><div><br /></div><div>Adobe has fixed it for all platforms. It is highly recommended that all Mac, Windows and Linux users upgrade to the <a href="http://www.adobe.com/support/security/bulletins/apsb13-07.html" rel="nofollow" target="_blank"><b>new release</b></a>.</div><div><br /></div><div><b>According to Adobe's Security Bulletin;</b></div><div><br /></div><blockquote class="tr_bq"><span style="background-color: white;"><span style="font-family: inherit;"><span style="line-height: 19px; text-align: -webkit-auto;">Adobe is aware of reports that two vulnerabilities (CVE-2013-0640, CVE-2013-0641) referenced in </span><a href="http://www.adobe.com/support/security/advisories/apsa13-02.html" rel="nofollow" style="line-height: 19px; text-align: -webkit-auto; text-decoration: none;" target="_blank"><span style="color: black;">Security Advisory APSA13-02</span></a><span style="line-height: 19px; text-align: -webkit-auto;"> are being exploited in the wild. Adobe recommends users update their product installations using the instructions provided in the "Solution" section below.</span></span></span></blockquote><div><span style="background-color: #eaeaea; color: #333333; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 19px; text-align: -webkit-auto;"><br /></span></div><div>Cheers!</div><div><br /></div><div><b>About the Author:</b></div><div>This article has been written by Dr. Sindhia Javed Junejo. She is one of the core members of RHA team.</div></div>

Adobe Zero Day Malware - Upgrade Adobe Reader and Acrobat

A few days ago we blogged about Adobe's Zero-Day Malware affecting Adobe Reader and Acrobat. The malware was investigated on by Sophos ...

+ Read more »

All Problems And Solutions Related To SQL injection

<div dir="ltr" style="text-align: left;" trbidi="on">                             <img alt="SQL1.bmp" height="363" src="http://blog.mile2.com/wp-content/uploads/2012/03/SQL1.bmp" width="400" /><br /><br />Today I'll write a tutorial for you that covers most problems while applying SQL injection and solutions to them. Probably every person who has looked at tutorials to hack a website have noticed that there are too many SQL tutorials. Almost every forum has 10 tutorials and blogs 5 tutorials about SQL injection, but actually those tutorials are stolen from somewhere else and the author most of the time doesn't even know why does SQL injection works. All of those tutorials are like textbooks with their ABC's and the result is just a mess. Everyone is writing tutorials about SQL, but nobody covers the problems what will come with that attack.<br /><a name='more'></a><strong>What is the cause of most problems related to SQL injection?</strong><br /><strong><br /></strong>Webdevelopers aren't always really dumb and they have also heard of hackers and have implemented some security measures like WAF or manual protetion. WAF is an Web application firewall and will block all malicous requests, but WAF's are quite easy to bypass. Nobody will like to have their site hacked and they are also implementing some security, but ofcourse it will be false to say that if we fail then it's the servers fault. There's also a huge possibility that we're injecting otherwise than we should.<br />A web application firewall (WAF) is an appliance, server plugin, or filter that applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as Cross-site Scripting (XSS) and SQL Injection. By customizing the rules to your application, many attacks can be identified and blocked. The effort to perform this customization can be significant and needs to be maintained as the application is modified.<br /><br />If you're interested in WAF's and how they're working then I suggest you read it from wikipedia http://en.wikipedia.org/wiki/Application_firewall or from Open Web Application Security Project what's also known as OWASP<br /><br /><b>https://www.owasp.org/index.php/Web_Application_Firewall</b><br /><strong><br />Order by is being blocked?</strong><br />It rarely happens, but sometimes you can't use order by because the WAF has blocked it or some other reason. Unfortunally we can't skip the order by and we have to find another way. The way is simple, instead of using Order by we have to use <strong>Group by</strong> because that's very unlikely to be blacklisted by the WAF.<br />If that request will return 'forbidden' then it means it's blocked.<br /><pre><b><br /></b></pre><pre><b>http://site.com/gallery?id=1 order by 100--</b></pre><br />Then you have to try to use Group by and it will return correct : <br /><pre><b><br /></b></pre><pre><b>http://site.com/gallery?id=1 group by 100-- / success</b></pre><br />Still there's a possibility that WAF will block the request, but there's one other way and that's not very widely known. It's about using ( the main query ) = (select 1)<br /><pre><b><br /></b></pre><pre><b>http://example.org/news.php?id=8 and (select * from admins)=(select 1)</b></pre><br />Then you'll probably receive an error like this : <em>Operand should contain 5 column(s)</em>.<br />That error means that there are 5 columns and it means we can proceed to our next step what's union select. The command was different than usual, but the injection will be the same.<br /><pre></pre><pre>http://site.com/news.php?id=-8 union select 1,2,3,4,5--</pre><strong>'order by 10000' and still not error?</strong><br /><br />There's a small chapter where I'll tell you why sometimes order by won't work and you don't see an error. The difference between this capther and the last one is that previously your requests were blocked by the WAF, but here the injection method is a little bit different. When I saw that the first time then I thought about how a Database has 100000 columns because I'm not getting the error while the site is vulnerable?<br /><br />The answer is quite logical. By trying order by 1000000 we're not getting the error because there are so many columns in there, we're not getting the error because our injection isn't working.<br /><br /><pre></pre><pre>Example : site.com/news.php?id=9 order by 10000000000-- [No Error] </pre><br />to bypass this you just have to change the URL a little bit. Add ' after the ID number and at the end just enter +<br />Example : <br /><pre></pre><pre>site.com/news.php?id=9' order by 10000000--+[Error]<br /></pre><br />If the last example is working for you then it means you have to use it in the next steps also. This isn't anything complicated, but to make everything clear I'll still give you an example.<br /><br /><pre></pre><pre>http://site.com/news.php?id=-9' union select 1,2,3,4,5,6,7,8--+</pre><br /><strong><br /></strong><strong>Extracting data from other database.</strong><br /><br />Sometimes we can administer the injection successfully and there doesn't appear any errors, it's a hacker's perfect dream. That dream will end the moment we see that nothing useful exists while doing so. There are only few tables and are called "News", "gallery" and "articles". They aren't useful at all because we'd like to see tables like "Admin" or "Administrator". Still we know that the server probably has several databases and even if we find the information we're looking for, you should still take a look within the other databases as well.<br /><br />This will give you Schema names.<br /><br /><pre><b><br /></b></pre><pre><b>site.com/news.php?id=9 union select 1,2,group_concat(schema_name),4 from information_schema.schemata</b></pre>And with this code you can get the tables from the schema.<br /><br /><pre></pre><pre><b>site.com/news.php?id=9 union select 1,2,group_concat(table_name),4 from informati</b></pre><pre><b>on_schema.tables where table_schema=0x<hex name="" of="" schema="" value=""></hex></b></pre>This code will give you the column names.<br /><br /><pre></pre><pre><b>site.com/news.php?id=9 union select 1,2,group_concat(column_name),4 from information_schema.tables where table_schema=0x<hex name="" of="" schema="" value=""> and table_name=0x<hex name="" of="" table="" value=""></hex></hex></b></pre><br /><strong><br />I get error if I try to extract tables.</strong><br /><br /><pre></pre><pre><b>site.com/news.php?id=9 union select 1,2,group_concat(table_name),4 from information_schema.tables</b></pre><br />Le wild Error appears.<br /><pre></pre><pre>"you have an error in your sql syntax near '' at line 1"<pre>Change the URL for this<br /><pre></pre><pre><b>site.com/news.php?id=9 union select 1,2,concat(unhex(hex(table_name),4 from information_schema.tables limit 0,1-- </b></pre></pre></pre><strong>How to bypass WAF/Web application firewall</strong><br /><br />The biggest reason why most the problems occur is due to most of the security measures added to the server and WAF, but mostly they're of no use and can be bypassed really easily. Mostly you will get error 404 like it's in the code below, this is WAF. Most likely persons who're into SQL injection and bypassing WAF's are thinking at the moment "Dude, only one bypassing method?", but in this case we both know that bypassing WAF's is a different kind of science and I could write a ebook on bypassing them. I'll answer all those bypassing queries another time. <br /><br /><pre>"404 forbidden you do not have permission to access to this webpage"</pre>The code will look like this if you get the error<br /><br /><pre></pre><pre><b>http://www.site.com/index.php?id=-1+union+select+1,2,3,4,5--</b></pre><b> [Error]</b><br />Change the url Like it's below.<br /><pre></pre><pre><b>http://www.site.com/index.php?id=-1+/*!UnIoN*/+/*!sELeCt*/1,2,3,4,5--</b></pre><b> [No error]</b><br /><strong><br /></strong><strong>Is it possible to modify the information in the database by SQL injection?</strong><br /><br />Most people aren't aware of it, but it's possible. You're able to Update, Drop, insert and select information. Most of people who're dealing with SQL injection have never looked deeper in the attack than shown in the average SQL injection tutorial, but an average SQL injection tutorial doesn't have those statements added. Most likely because most people are copy&pasting tutorials or just overwriting them. You might ask that why should one update, drop or insert information into the database if I can just look into the information to use the current ones, why should we make another Administrator account if there already exists one? <br /><br />Reading information is just one part of the injection and sometimes those other commands that are quite infamous are more powerful than we think. If you have read all those avalible SQL injection tutorials then you're probably aware that you can read the information, but you didn't know that you can modify it. If you have tried SQL injection then you have probably faced some problems that there isn't an administrator account, why not use the Insert command to add one? There isn't an admin page to login, why not drop the table and all information so nobody can access it? I want to get rid of the current Administrator and can't change the password, why not use the update commands to change the password of the Administrator?<br />You must have noticed that I have talked alot about unneccesary information that you probably don't need to know, but that's the information you need to learn and understand to become a real hacker because you have to learn how SQL databases are working to fiqure out how those commands are working because you can't find tutorials about it on the network. It's just like math you learn in school, if you won't learn it then you'll be in trouble when you grow up.<br /><br />Theory is almost over and now let's get to the practice.<br /><br />Let's say that we're visiting that page and it's vulnerable to SQL injection.<br /><br /><pre><b>http://site.com/news.php?id=1</b></pre>You have to start injecting to look at the tables and columns in them, but let's assume that the current table is named as "News".<br /><br />With SQL injection you can SELECT, DROP, UPDATE and INSERT information to the database. The SELECT is probably already covered in all the tutorials so let's focus on the other three. Let's start with the DROP command.<br /><br />I'd like to get rid of a table, how to do it?<br /><br /><pre><b>http://site.com/news.php?id=1; DROP TABLE news</b></pre><br />That seems easy, we have just dropped the table. I'd explain what we did in the above statement, but it's quite hard to explain because you all can understand the above command. Unfortunally most of 'hackers' who're making tutorials on SQL injection aren't aware of it and sometimes these three words are more important than all the information we can read on some tutorials.<br /><br />Let's head to the next statement what's UPDATE.<br /><br /><pre><b><br /></b></pre><pre><b>http://site.com/news.php?id=1; UPDATE 'Table name' SET 'data you want to edit' = </b></pre><pre><b>'new data' WHERE column_name='information'--</b></pre><br />Above explanation might be quite confusing so I'll add a query which is what you're most likely going to use in real life :<br /><br /><pre><b>http://site.com/news.php?id=1; UPDATE 'admin_login' SET 'password' = 'Crackhackforum' WHERE login_name='Rynaldo'--</b></pre>We have just updated Administrator account's password. In the above example, we updated the column called 'admin_login" and added a password what is "Crackhackforum" and that credential belongs to the account with the username Rynaldo. Kinda heavy to explain, but I hope you'll understand.<br /><b>How does INSERT work?</b><br />Luckily "INSERT" isn't as easy as the "DROP" statement, but still quite understandable. Let's go further with Administrator privileges because that's what most of people are heading to. Adding an administrator<br />account would be like this : <br /><br /><pre></pre><pre><b>http://site.com/news.php?id=1; INSERT INTO 'admin_login' ('login_id', 'login_name', 'password', 'details') VALUES (2,'Rynaldo','Crackhackforum','NA')--</b></pre>INSERT INTO 'admin_login' means that we're inserting something to 'admin_login'. Now we have to give instructions to the database, about what exact information we want to add, ('login_id', 'login_name', 'password', 'details'). Means that the specifications we're adding to the DB are Login_id, Login_name, password and details and the information the database needs to create a new account. So far we have told the database what information we want to add, we want to add a new account, password, account ID and details. Now we have to tell the database what will be the new account's username, it's password and account ID, VALUES (2,'Rynaldo','Crackhackforum','NA')-- . That means account ID is 2, username will be Rynaldo, password of the account will be Crackhackforum. Your new account has been added to the database and all you have to do is open up the Administrator page and login.<br /><strong>Passwords aren't working</strong><br /><br />Sometimes the site is vulnerable to SQL and you can get the passwords. Then you can find the site's username and password, but when you enter it into adminpanel then it shows the "Wrong password" error. This can be because those usernames and passwords are there, but aren't working. This is made by site's admin to confuse you and actually the Cpanel doesn't contain any username/password. Sometimes accounts are removed, but the accounts are still in the database. Sometimes it isn't made by the admin and those credentials have been left in the database after removing the login page, sometimes the real credentials have been transfered to another database and old entries haven't been deleted.<br />Sometimes I get some weird password<br />This weird password is called Hash and most likely it's MD5 hash. That means the site's admin has added more security to the website and has encrypted the passwords. Most popular crypting way is using MD5 hash. The best way to crack MD5 hashes is using PasswordsPro or Hashcat because they're the best and can crack the password even if it's really hard or isn't MD5. Also you can use http://md5decrypter.com. I don't like to be a person who's pitching around with small details that aren't correct, but here's a tip that you should keep in mind. The domain is saying it's "md5decryptor" that reffers to decrypting MD5 hashes.<br />Actually it's not possible to decrypt a hash because they're having 'one-way' encryption. One way encryption means it can only be encrypted, but not decrypted. Still it doesn't mean that we can't know what the hash means, we have to crack it. Hashes can't be decrypted, only cracked. Those online sites aren't cracking hashes every time, they're saving already cracked hashes & results to their database and if you'll ask a hash what's already in their database, you will get the result. :)<br />Md5 hash looks like this : 827ccb0eea8a706c4c34a16891f84e7b = 12345<br />You can read about all Hashes that exist and their description http://pastebin.com/aiyxhQsf<br />Md5 hashes can't be decrypted, only cracked<br />How to find admin page of site?<br />Some sites don't contain admin control panel and that means you can use any method for finding the admin page, but that doesn't even exist. You might ask "I got the username and password from the database, why isn't there any admin login page then?", but sometimes they are just left in the database after removing the Cpanel.<br />Mostly people are using tools called "Admin page finders". They have some specific list of pages and will try them. If the page will give HTTP response 200 then it means the page exists, but if the server responds with HTTP response 404 then it means the page doesn't exist in there. If the page exists in the list then the tool will say "Page found". I don't have any tool to share at the moment, but if you're downloading it yourself then be beware because those tools might beinfected with viruses.<br />Mostly the tools I mentioned above, Admin Page Finders doesn't usually find the administrator page if it's customly made or renamed. That means quite oftenly those tools don't help us out and we have to use an alternative and I think the best one is by using site crawlers. Most of you are probably having Acunetix Web Vulnerability scanner 8 and it has one wonderful feature called site crawler. It'll show you all the pages on the site and will 100% find the login page if there exists one.<br />Automated SQL injection tools.<br />Automated SQL injection tools are programs what will do the whole work for you, sometimes they will even crack the hashes and will find the Administrator page for you. Most people are using automated SQL injection tools and most popular of them are Havij and SQLmap. Havij is being used much more than SQLmap no matter the other tool is much better for that injection. The sad truth why that is so is that many people aren't even able to run SQLmap and those persons are called script-kiddies. Being a script-kiddie is the worst thing you can be in the hacking world and if you won't learn how to perform the attack manually and are only using tools then you're one of them.<br />If you're using those tools to perform the attack then most people will think that you're a script-kiddie because most likely you are. Professionals won't take you seriously if you're injecting with them and you won't become a real hacker neither.<br /><br /> My above text might give you a question, "But I've seen that even Proffesional hackers are using SQLmap?" and I'd like to say that everything isn't always black & white. If there are 10 databases, 50 tables in them and 100 columns in the table then it would just take days to proccess all that information. I'm also sometimes using automated tools because it makes my life easier, but to use those tools you first have to learn how to use those tools manually and that's what the tutorial above is teaching you.<br />Use automated tools only to make your life easier, but don't even look at them if you don't know how to perform the attack manually.<br /><br />What else can I do with SQL injection besides extracting information? There are many things besides extracting information from the database and sometimes they are much more powerful. We have talked about how sometimes the database doesn't contain Administrator's credentials or you can't crack the hashes. Then all the injection seems pointless because we can't use the information we have got from the database. Still we can use another methods. Just like we can conduct CSRF attack with persistent XSS, we can also move to another attacks through SQL injection. One of the solution would be performing DOS attack on the website which is vulnerable to SQL injection. DOS is shortened from Denial of service and it's totaly different from DDOS that's Distributed Denial of Service. I think that you all probably know what these are, but if I'm taking that attack up with a sentence then DOS will allow us to take down the website temporarily so users won't have access to the site. The other way would be uploading our shell through SQL injection. If you're having a question about what's shell then by saying it shortly, it's a script what we'll upload to the server and it will create an backdoor for us and will give us all the privileges to do what we'd like in the server and sometimes by uploading a shell you're having more rights to modify things than the real Administrator has. After you have uploaded a shell you can move forward to symlink which means that we can deface all the sites that are sharing the same server. Shelling the website is probably the most powerful thing you can use on the website. I have not covered how to upload a shell through SQL injection and haven't covered how to cause DOS neither, but probably will do in my next tutorials because uploading a shell through SQL is another kind of science, just like bypassing WAF's. Those are the most common methods that attackers will put in use after they can't get anything useful out of the database. We have all heard that immagination is unlimited and you can do whatever you'd like. That's kinda true and hacking isn't an exception, there are more ways than I can count.<br /><br />What to do if all the information doesn't display on the page?<br />I actually have rarely ever seen that there is so much information on the webpage that it all just doesn't fit in there, but one person recently asked that question from me and I decided to add it here. Also if you're having questions then surely ask and I'll update the article. If we're getting back to the question then the answer is simple, if all the information can't fit in the screen then you have to look at the source code because everything displayed on the webpage will be in there. Also sometimes information will appear in the tab where usually is the site's name. If you can't see the information then sometimes it's hidden, but with taking a deeper look you might find it from the source. That's why you always have to look all the solutions out before quiting because sometimes you might think "I can't inject into that..", but actually the answer is hidden in the source.<br /><b><br /></b><b>About the Author</b> <br />Every sentence of that thread is writtened by Crackhackforum.com staff Rynaldo. You can use that tutorial on your blog, sites and forums if you'll keep the credits to crackhackforum.com Staff Rynaldo and linking to this post. </div>

All Problems And Solutions Related To SQL injection

Today I'll write a tutorial for you that covers most problems while applying SQL injection and solutions t...

+ Read more »

Jailbreak iOS 6.1.2 Untethered On All iDevices

<div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMrUfqywmrXdXomnjy1hqj85ihWbeLSAfHnvHE9wHTfyAOvQp7FlOcJtHZiFGCTbV7Uiz2isWoOMr9cK0X4S-ha8o4nf6V1hKXlx1geFJnKja6Qg5MzFG70YlvpZ4BhHaoSBWjO3lYqAU/s1600/evasi0n14.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="361" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMrUfqywmrXdXomnjy1hqj85ihWbeLSAfHnvHE9wHTfyAOvQp7FlOcJtHZiFGCTbV7Uiz2isWoOMr9cK0X4S-ha8o4nf6V1hKXlx1geFJnKja6Qg5MzFG70YlvpZ4BhHaoSBWjO3lYqAU/s640/evasi0n14.jpg" width="640" /></a></div><br /><br />Apple has been quick to patch the last of the bugs found in the iOS 6.1.1. With the release of iOS 6.1.2 it seemed that Apple would patch the jailbreak exploit as well. Fortunately, they haven't. The developers of the jailbreak tool Evasi0n are on a roll as they have updated the software to support iOS 6.1.2. Evasi0n v1.4 can now untether jailbreak iOS 6.1.2.<br /><br /><a name='more'></a><br /><br /><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjz7UB3Kse7yn_OEtOZFaCpxClZPgM9QrwQ1qsP0iaixxpDT_7jWmkOA70bupMWGkW_iEk7LqxfnlwWJzZ8k9xDXYNNCiDNoCSBiDVzD-ZXP8gl84oZ_Dy4gSu7OboXRL10T9eVev7BsY4/s1600/evasi0n-download.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="278" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjz7UB3Kse7yn_OEtOZFaCpxClZPgM9QrwQ1qsP0iaixxpDT_7jWmkOA70bupMWGkW_iEk7LqxfnlwWJzZ8k9xDXYNNCiDNoCSBiDVzD-ZXP8gl84oZ_Dy4gSu7OboXRL10T9eVev7BsY4/s400/evasi0n-download.png" width="400" /></a></div><div style="color: #444444; font-family: Arial, Helvetica, Tahoma, sans-serif; font-size: 14px; font-style: italic; line-height: 22px; padding: 0px 0px 15px; text-align: -webkit-auto;"><strong><br /></strong></div><div style="font-family: Arial, Helvetica, Tahoma, sans-serif; font-size: 14px; font-style: italic; line-height: 22px; padding: 0px 0px 15px; text-align: -webkit-auto;"><strong>Note</strong>: This Jailbreak tool is available for all the iDevices mentioned below:</div><ul style="font-family: Georgia, 'Times New Roman', 'Trebuchet MS'; font-size: 16px; font-style: italic; line-height: 22px; list-style-type: none; margin: 0px 0px 15px 25px; padding: 0px; text-align: -webkit-auto;"><li style="list-style-type: none; margin: 0px; padding: 0px;">iPhone 5</li><li style="list-style-type: none; margin: 0px; padding: 0px;">iPhone 4S</li><li style="list-style-type: none; margin: 0px; padding: 0px;">iPhone 4</li><li style="list-style-type: none; margin: 0px; padding: 0px;">iPhone 3GS</li><li style="list-style-type: none; margin: 0px; padding: 0px;">iPad 4</li><li style="list-style-type: none; margin: 0px; padding: 0px;">iPad 3</li><li style="list-style-type: none; margin: 0px; padding: 0px;">iPad 2</li><li style="list-style-type: none; margin: 0px; padding: 0px;">iPad mini</li><li style="list-style-type: none; margin: 0px; padding: 0px;">iPod touch 4</li><li style="list-style-type: none; margin: 0px; padding: 0px;">iPod touch 5</li></ul><div style="font-family: Arial, Helvetica, Tahoma, sans-serif; font-size: 14px; font-style: italic; line-height: 22px; padding: 0px 0px 15px; text-align: -webkit-auto;">Its supported firmwares are:</div><ul style="font-family: Georgia, 'Times New Roman', 'Trebuchet MS'; font-size: 16px; font-style: italic; line-height: 22px; list-style-type: none; margin: 0px 0px 15px 25px; padding: 0px; text-align: -webkit-auto;"><li style="list-style-type: none; margin: 0px; padding: 0px;">iOS 6.0</li><li style="list-style-type: none; margin: 0px; padding: 0px;">iOS 6.0.1</li><li style="list-style-type: none; margin: 0px; padding: 0px;">iOS 6.0.2</li><li style="list-style-type: none; margin: 0px; padding: 0px;">iOS 6.1</li><li style="list-style-type: none; margin: 0px; padding: 0px;">iOS 6.1.1</li><li style="list-style-type: none; margin: 0px; padding: 0px;">iOS 6.1.2</li></ul><br />Evasi0n tool supports all iDevices except Apple TV 3 and it is recommended that you backup your device using iTunes or iCloud before proceeding.<br /><br />All the steps are exactly the same as before. Nothing has changed. If you haven't read up on the topic, we would suggest you look into a <a href="http://www.techlotips.com/2013/02/05/jailbreak-untethered-ios-6-1-for-idevcies-detailed-tutorial/" target="_blank"><b>full tutorial</b></a>.<br /><br /><b>Please read the instructions below and follow them to the dot:</b><br /><br />1. Update your iDevice to iOS 6.1.2 via iTunes restore. Click <a href="http://www.techlotips.com/2013/02/20/ios-6-1-2-released-for-iphone-ipad-and-ipod-touch-download-links/" target="_blank"><b>here</b></a> to download iOS 6.1.2 and update your iDevice manually.<br /><br />2. Download Evasi0n Jailbreak Tool v1.4 on your Windows, Mac or Linux. (Download links provided below).<br /><br />3. Disable password lock in case you have enabled it on your iDevice. To do so, go to Settings --> General --> Passcode Lock, and then just switch it off.<br /><br />4. Run Evasi0n on your computer to get started.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-eEfyKJrrIE-hU7IhdOxY_uB68XPAioKVFRsvQPDund1jqtfrOTxJLBKzVU_0Nrsh0qvEm9q7OUgcPNtmyMKidxS9Anr5IvwV2fAXhqU-fh0zRZCAWBNSMpxnqAuEIfUkUh9YI6g4KsY/s1600/33.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="228" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-eEfyKJrrIE-hU7IhdOxY_uB68XPAioKVFRsvQPDund1jqtfrOTxJLBKzVU_0Nrsh0qvEm9q7OUgcPNtmyMKidxS9Anr5IvwV2fAXhqU-fh0zRZCAWBNSMpxnqAuEIfUkUh9YI6g4KsY/s320/33.jpg" width="320" /></a></div><br />5. Connect your iDevice to your computer via data cable and make sure that your computer recognises it.<br /><br />6. Hit the jailbreak option and wait for the software to complete performing necessary steps to jailbreak your device. Do not touch your device or your computer during this time.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLKvMukzjAAuGvbYZD_3N-e3f-usRcdIvkVd_EGQHTAZb93p311Tk2T0Qtd4rRhq8tsKYLRFMTClxjPd0wk31F736E2-p5EtrFhXkjfUnqDwZMn1_EI-fmiPhP_H_QAZUU1lqwFLCXfw0/s1600/Evasi0n-White-Screen.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="213" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLKvMukzjAAuGvbYZD_3N-e3f-usRcdIvkVd_EGQHTAZb93p311Tk2T0Qtd4rRhq8tsKYLRFMTClxjPd0wk31F736E2-p5EtrFhXkjfUnqDwZMn1_EI-fmiPhP_H_QAZUU1lqwFLCXfw0/s320/Evasi0n-White-Screen.jpg" width="320" /></a></div><br />7. Once done, your iDevice will boot back up. When it does, unlock your device, and click on the icon which will now be available on your homescreen named "jailbreak". Click on it and wait.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxbEMKSpkzt28o9Zd1l6N3NC3WjY_U4euWTpgC4eISovmvFcDdHIv5l5ZHjiYe-vhFBQdEvzNYjBK5RpmDbnf0SYUy4YQAbt6UANrTBDdhSFib8olIg_NnugBNLRBGe7-H7W3HKzxSM6A/s1600/evasi0n-jailbreak-4-FSMdotCOM.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxbEMKSpkzt28o9Zd1l6N3NC3WjY_U4euWTpgC4eISovmvFcDdHIv5l5ZHjiYe-vhFBQdEvzNYjBK5RpmDbnf0SYUy4YQAbt6UANrTBDdhSFib8olIg_NnugBNLRBGe7-H7W3HKzxSM6A/s320/evasi0n-jailbreak-4-FSMdotCOM.jpg" width="320" /></a></div><br />8. After rebooting a couple of times, you will then have access to Cydia on your homescreen. This means that you have successfully jailbroken your iGadget. Congratulations!<br /><br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguaDQv3xzzZcJqq5VdSuGj7EE5A_G2Qht-hYGpfEWddI88O9f8yiYekkeM_gqYd_dbzP_rC5uUOmh2l5CL3_F46UgaPqcOIRQ5EbFbJJa6Z4jjC0GHddOiv7KHAc7ehbmNyTUEmKYQr9U/s1600/jailbreak-iphone-5-4s-6.1-evasi0n.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguaDQv3xzzZcJqq5VdSuGj7EE5A_G2Qht-hYGpfEWddI88O9f8yiYekkeM_gqYd_dbzP_rC5uUOmh2l5CL3_F46UgaPqcOIRQ5EbFbJJa6Z4jjC0GHddOiv7KHAc7ehbmNyTUEmKYQr9U/s200/jailbreak-iphone-5-4s-6.1-evasi0n.jpg" width="198" /></a><b></b><br /><b><b><br /></b></b><b><b><br /></b></b><b><br /></b><br /><div style="text-align: center;"><b><b>Download Evasi0n Jailbreak Tool v1.4</b></b></div><br /><div style="text-align: center;"><a href="https://sites.google.com/site/evad3rs/evasi0n-win-1.4-91fc5a30e4caf41b22e85427e1b3b738f5158d8e-release.zip?attredirects=0&d=1" target="_blank">Windows</a></div><div style="text-align: center;"><a href="https://sites.google.com/site/evad3rs/evasi0n-mac-1.4-91fc5a30e4caf41b22e85427e1b3b738f5158d8e-release.dmg?attredirects=0&d=1" target="_blank">Mac</a></div><div style="text-align: center;"><a href="https://sites.google.com/site/evad3rs/evasi0n-linux-1.4-91fc5a30e4caf41b22e85427e1b3b738f5158d8e-release.tar.lzma?attredirects=0&d=1" target="_blank">Linux</a></div><div style="text-align: center;"><br /></div><br /><br /><div class="separator" style="clear: both; text-align: center;"></div><br />Cheers!<br /><br /><b>About the Author:</b><br />This article is written by Dr. Sindhia Javed Junejo. She is one of the core members of RHA team.<br /><br /><br /><br /><br /></div>

Jailbreak iOS 6.1.2 Untethered On All iDevices

Apple has been quick to patch the last of the bugs found in the iOS 6.1.1. With the release of iOS 6.1.2 it seemed that Apple would patch th...

+ Read more »

BlackBerry Users At Risk

<div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEho66m1TgN1Zg69xgUNl021dMMjA8bnektA-QW0B_k6F6ZnGuvX9AUVLkOtHZe2IJhiPH6V9LNdWfFZPKhwiR_27tvqbQZ93RMQf0EXRv_0OeXfhX0snwP9tOP6bFezJimlN6yBddksR0o/s1600/images.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="243" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEho66m1TgN1Zg69xgUNl021dMMjA8bnektA-QW0B_k6F6ZnGuvX9AUVLkOtHZe2IJhiPH6V9LNdWfFZPKhwiR_27tvqbQZ93RMQf0EXRv_0OeXfhX0snwP9tOP6bFezJimlN6yBddksR0o/s640/images.jpg" width="640" /></a></div><br /><br />Attention all BlackBerry users! You are vulnerable to remote attacks by hackers.<br /><br />It has been reported by Blackberry security advisory that it is possible for hackers to infiltrate BlackBerry Enterprise Server. Hackers can also run malicious code on BES which is used by many companies. These exploits are considered to be grave in nature.<br /><br /><a name='more'></a><br />According to BlackBerry security <b><a href="http://btsc.webapps.blackberry.com/btsc/viewdocument.do?externalId=KB33425&sliceId=1&cmd=displayKC&docType=kc&noCount=true&ViewedDocsListHelper=com.kanisa.apps.common.BaseViewedDocsListHelperImpl#CAenvironmentSection" rel="nofollow" target="_blank">advisory</a></b>:<br /><br /><br /><blockquote class="tr_bq"><tt style="background-color: transparent; border: 0px; font-family: courier, monospace; font-size: 14px; margin: 0px; padding: 0px; vertical-align: baseline;">Vulnerabilities exist in how the BlackBerry MDS Connection Service and the BlackBerry Messaging Agent process TIFF images for rendering on the BlackBerry smartphone.</tt><tt style="background-color: transparent; border: 0px; font-family: courier, monospace; font-size: 14px; margin: 0px; padding: 0px; vertical-align: baseline;">Successful exploitation of any of these vulnerabilities might allow an attacker to gain access to and execute code on the BlackBerry Enterprise Server.</tt><tt style="background-color: transparent; border: 0px; font-family: courier, monospace; font-size: 14px; margin: 0px; padding: 0px; vertical-align: baseline;">Depending on the privileges available to the configured BlackBerry Enterprise Server service account, the attacker might also be able to extend access to other non-segmented parts of the network.</tt></blockquote><div style="background-color: white; border: 0px; color: #333333; font-family: arial, helvetica, sans-serif; font-size: 15px; margin-bottom: 10px; padding: 0px; text-align: -webkit-auto; vertical-align: baseline;"><tt style="background-color: transparent; border: 0px; font-family: courier, monospace; font-size: 14px; margin: 0px; padding: 0px; vertical-align: baseline;"><br /></tt></div><br />The hacker can trick the user into visiting a webpage that carries out the attack or embeds a malicious code directly into an email or instant message. BlackBerry Enterprise Server is mainly involved in this method and it depends on how it handles TIFF image files which are being viewed by the BlackBerry user. According to some reports, these images/links do not even need to be clicked or an email to be viewed for the attack to begin.<br /><br />The biggest concern is that through the attack, hackers might succeed into planting malicious code on BES which allows remote access to it. This would lead to information being stolen from your network. Hackers may also be able to crash or interrupt communications through this exploit.<br /><br />BlackBerry phones are not the root cause of these attacks. BES used by companies is the vulnerable software here. Therefore, you do not need to throw your BlackBerry out.<br /><br />There haven't been any reports on attacks being carried out on BlackBerry customers but we request our readers to update their phones as soon as possible before you become a victim and your personal information is stolen from you.<br /><br />BlackBerry has published <a href="http://btsc.webapps.blackberry.com/btsc/viewdocument.do?externalId=KB33425&sliceId=1&cmd=displayKC&docType=kc&noCount=true&ViewedDocsListHelper=com.kanisa.apps.common.BaseViewedDocsListHelperImpl#CAworkaroundSection" rel="nofollow" target="_blank"><b>workarounds</b></a> from the companies who may not succeed in updating their BES.<br /><br />Cheers!<br /><br /><b>About the Author:</b><br />This article is written by Dr. Sindhia Javed Junejo. She is one the core members of RHA team.</div>

BlackBerry Users At Risk

Attention all BlackBerry users! You are vulnerable to remote attacks by hackers. It has been reported by Blackberry security advisory that i...

+ Read more »

Facebook's Security Breeched - Java Zero-Day Vulnerability Found

<div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQ6oW6py3BUGcZznhPgt78n_y6xedMLRefWvio4MEPjreKoavO7lhKhtIO4oGmFYPkbB2CqMKf0VHTB5MIQR4kUR3mlnUDgQyJ5iYwEMv61xt4dzP5niSuAArinVOQsCFTchmNrmed6dU/s1600/facebook-shatter.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQ6oW6py3BUGcZznhPgt78n_y6xedMLRefWvio4MEPjreKoavO7lhKhtIO4oGmFYPkbB2CqMKf0VHTB5MIQR4kUR3mlnUDgQyJ5iYwEMv61xt4dzP5niSuAArinVOQsCFTchmNrmed6dU/s640/facebook-shatter.jpg" width="577" /></a></div><div><br /></div><div>Facebook was attacked by unidentified hackers on Friday. The attack was carried out when Facebook Co.'s employees visited a developer's website which was, you guessed it, compromised. The malware was installed on their laptops and so began the journey of Facebook's self-enlightenment.</div><div><br /></div><div>Facebook has over 1 million users to its disposal who share sensitive information on the social networking site, giving Facebook the edge to control and use it freely. However, none of these 1 billion users want their private content to be spread out for everyone's eyes to see. Facebook is very aware of what attacks like such could mean for their following. It could bring down the very foundation of Facebook as we know it.<br /><br /><a name='more'></a><br /></div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj28Jro9VSMznD2HFNIN-w3chG09hAUrJd_ZEpgFYlELAFa3FwsdUiuJHmUZf4ezUt79Sw0Vf-XSzffdyQNZ9Li8-I7U7e6nhCcLw1PW1u0UR8z9byusTZ5ymm2DEQsyBKwCx3NpamgPCs/s1600/protecting-people-486.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="101" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj28Jro9VSMznD2HFNIN-w3chG09hAUrJd_ZEpgFYlELAFa3FwsdUiuJHmUZf4ezUt79Sw0Vf-XSzffdyQNZ9Li8-I7U7e6nhCcLw1PW1u0UR8z9byusTZ5ymm2DEQsyBKwCx3NpamgPCs/s400/protecting-people-486.png" width="400" /></a></div><br /><div>Facebook published a <b><a href="https://www.facebook.com/notes/facebook-security/protecting-people-on-facebook/10151249208250766" rel="nofollow" target="_blank">formal bulletin</a></b> regarding the security breech titled "<i>Protecting People on Facebook</i>":</div><div><br /></div><div><blockquote class="tr_bq"><span style="font-family: Times, Times New Roman, serif;">Facebook, like every significant internet service, is frequently targeted by those who want to disrupt or access our data and infrastructure. As such, we invest heavily in preventing, detecting, and responding to threats that target our infrastructure, and we never stop working to protect the people who use our service. The vast majority of the time, we are successful in preventing harm before it happens, and our security team works to quickly and effectively investigate and stop abuse.<br /><br />Last month, Facebook Security discovered that our systems had been targeted in a sophisticated attack. This attack occurred when a handful of employees visited a mobile developer website that was compromised. The compromised website hosted an exploit which then allowed malware to be installed on these employee laptops. The laptops were fully-patched and running up-to-date anti-virus software. As soon as we discovered the presence of the malware, we remediated all infected machines, informed law enforcement, and began a significant investigation that continues to this day.<br /><br /><strong>We have found no evidence that Facebook user data was compromised.</strong></span></blockquote><div style="background-color: white; color: #333333; font-family: 'lucida grande', tahoma, verdana, arial, sans-serif; font-size: 13px; line-height: 19px;"><br /></div></div><div>Previously, Facebook had claimed that none of the data that it has authority over or has been intrusted to them was compromised in the attack. In response to which Kevin Mitnick, the founder of Mitnick Security Consulting LLC, tweeted:</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEik37toEtc2H0yJYoZwGZukSzp1VhKaNNonxyXpfyLV5wjmfsMrOXRCPwNiR7bOue7CNSV_uIa5rXluawK8p8946aNEf8kQfiAKND5lBPdJFNK_cE_2Uh_IcqotSzewbrZDwsdfPekPakM/s1600/Untitled.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="186" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEik37toEtc2H0yJYoZwGZukSzp1VhKaNNonxyXpfyLV5wjmfsMrOXRCPwNiR7bOue7CNSV_uIa5rXluawK8p8946aNEf8kQfiAKND5lBPdJFNK_cE_2Uh_IcqotSzewbrZDwsdfPekPakM/s400/Untitled.png" width="400" /></a></div><div><br /></div><div>Surely enough, Facebook's CSO, Joe Sullivan is then reported to have said in an <b><a href="http://arstechnica.com/security/2013/02/facebook-computers-compromised-by-zero-day-java-exploit/" rel="nofollow" target="_blank">interview</a></b>:</div><div><br /></div><blockquote class="tr_bq"><span style="background-color: white; color: #263034; line-height: 20px;"><span style="font-family: inherit;">An analysis of the activity of the malware showed that "they were trying to move laterally into our production environment," Sullivan said. The attackers gained "some limited visibility" into production systems, but a forensic review found no evidence that data was exfiltrated from that. However, some of the information on the laptops themselves—"what you typically find on an engineer's laptop," Sullivan said—was harvested by the hackers, including corporate data, e-mail, and some software code.</span></span></blockquote><div><span style="background-color: white; color: #263034; font-family: Arial, sans-serif; font-size: 14px; line-height: 20px;"><br /></span></div><div>It is reported that the security breech occurred to due a <i>Java zero-day</i> vulnerability. Through this exploit the hackers were able to infiltrate Facebook's network and inject malware. Facebook now claims that the exploit has been patched and anti-virused. Therefore, users of Facebook can be at ease again.</div><div><br /></div><div>Facebook has been jumping up and down trying to convince its users that their sensitive data has not been compromised by the attack:</div><div><br /></div><div><blockquote class="tr_bq">There are a few important points that people on Facebook should understand about this attack:<br /><br />- Foremost, we have found no evidence that Facebook user data was compromised.<br /><br />- We will continue to work with law enforcement and the other organizations and entities affected by this attack. It is in everyone’s interests for our industry to work together to prevent attacks such as these in the future.</blockquote></div><div><br /></div><div>However, we would request all our readers to switch off Java in their browsers.</div><div><br /></div><div>Cheers!</div><div><br /></div><div><b>About the Author:</b></div><div>This article is written by Dr. Sindhia Javed Junejo. She is one of the core members of RHA team.</div><div></div></div>

Facebook's Security Breeched - Java Zero-Day Vulnerability Found

Facebook was attacked by unidentified hackers on Friday. The attack was carried out when Facebook Co.'s employees visited a developer...

+ Read more »

Blind SQL Injection - Detection And Exploitation

<div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXp0hBjFIlNQhVoAcjABuX8_x_g3Ru3XMIrzBswLEx4K4IxmwXhfKgKADz1hwV4Jr5Kv2L9Xuw970DRrzbIy8Kt6c3zDhmngR71DRJ9T3eldRkBddd14XnvUYpmD2lCqXZ0qqAguSridY/s1600/sqlinjection+(1).jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="193" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXp0hBjFIlNQhVoAcjABuX8_x_g3Ru3XMIrzBswLEx4K4IxmwXhfKgKADz1hwV4Jr5Kv2L9Xuw970DRrzbIy8Kt6c3zDhmngR71DRJ9T3eldRkBddd14XnvUYpmD2lCqXZ0qqAguSridY/s400/sqlinjection+(1).jpg" width="400" /></a></div><br />In our previous post "<b><a href="http://www.rafayhackingarticles.net/2013/02/sql-injection-basics-union-based.html" target="_blank">SQL Injection Basics - Union Based</a></b>", I explained the basic technique not only to find detect sql injection vulnerabilities also how to exploit SQL Injection vulnerabilities with Union based method. However, In this post a security researcher and a good friend of mine ahmad ashraff decided to contribute to RHA and present his research on some blind sqli techniques, So enough from me, Over to Ahmed. <br /><br /><a name='more'></a><br />In this post I'm going to share with all on how to detect if the website is vulnerable to Blind SQLi or there is no SQLi at all.<br /><br />Before, do note that I'm not an expert in this security/hacking scene. This sharing based on my own understanding from articles/discussions among of these great people such as .mario,stampar,R4x0r,Nurfed,benzi and more!!<br /><br /><div>In Blind SQLi, we need to understand correctly on how the server/website response based on TRUE or FALSE condition.AFAIK, there are 2 ways to detect it.</div><div><ol><li><b>Quotes</b></li></ol>It can be either <i style="font-weight: bold;">single quote (') </i>, <i style="font-weight: bold;">double quotes (") </i> or <b><i>backtick ( ` )</i></b></div><div>Look at the example below.</div><div><br /></div><div><br /></div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1ff7Q9OhZ3SZxgD4IlrKN9dxVKSHU3VXNKc3rpxa2Ml6GeKQz4UMrq23powIuKwGCcYDhuJwpQo31sWdq9eGLs-UqD4K-4wPb9bd2QC6c5kpbf625T9cia9Q2MUrYT17IPyLQQUcoMYQ/s1600/a1.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="499" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1ff7Q9OhZ3SZxgD4IlrKN9dxVKSHU3VXNKc3rpxa2Ml6GeKQz4UMrq23powIuKwGCcYDhuJwpQo31sWdq9eGLs-UqD4K-4wPb9bd2QC6c5kpbf625T9cia9Q2MUrYT17IPyLQQUcoMYQ/s640/a1.png" width="577" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">A normal page condition ( TRUE condition )</td></tr></tbody></table><div class="separator" style="clear: both; text-align: center;"><br /></div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2sU5-TthbfzhwECAFFlcExokhg5_a1UA34yoInbs_4qtz-fsvVjBq3Qje_ZtKjQAMnxkAsKEhnWKRDr3l_apnx2YfHWe0yRGb5z_aiPWgjrGSXu97oDUbRhTp_-692ncmN0YcsbWgCo0/s1600/a2.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="499" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2sU5-TthbfzhwECAFFlcExokhg5_a1UA34yoInbs_4qtz-fsvVjBq3Qje_ZtKjQAMnxkAsKEhnWKRDr3l_apnx2YfHWe0yRGb5z_aiPWgjrGSXu97oDUbRhTp_-692ncmN0YcsbWgCo0/s640/a2.png" width="577" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">The page become blank (FALSE condition) once we put a single quote</td></tr></tbody></table><br /><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUo0PS_jPe-Dmv-IRB03SPy2IMwHgZ_o-sQg8zNs1UnngETz4m5-wpX0-tuzffzgDlTlHk3zLZJ_Z9D3eh8Y7OtCGM2d55mKUwm_HNboQmIZ2T_pC5Z3W-PVgDXgYjzhdufvG44j5He40/s1600/a3.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="500" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUo0PS_jPe-Dmv-IRB03SPy2IMwHgZ_o-sQg8zNs1UnngETz4m5-wpX0-tuzffzgDlTlHk3zLZJ_Z9D3eh8Y7OtCGM2d55mKUwm_HNboQmIZ2T_pC5Z3W-PVgDXgYjzhdufvG44j5He40/s640/a3.png" width="577" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">The page back to normal condition (TRUE) once we put another single quote.</td></tr></tbody></table><div>We can use these method as well to check the TRUE/FALSE condition under this way of detection.<br /><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLzvefHF6lvNR0fv1fzW41EIsCoZjBRhsJK5xZe0uOwkvvhlaW3QE_ToXppfriFBWC9Zr_EpcZcb9laMzYGCLk2PsYMM8r5hbhjAuWyD9jQLlIVBKQx6LYuskZVgd3xvEQhG-rYQ__g_c/s1600/a4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="304" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLzvefHF6lvNR0fv1fzW41EIsCoZjBRhsJK5xZe0uOwkvvhlaW3QE_ToXppfriFBWC9Zr_EpcZcb9laMzYGCLk2PsYMM8r5hbhjAuWyD9jQLlIVBKQx6LYuskZVgd3xvEQhG-rYQ__g_c/s640/a4.png" width="577" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: left;">    2. <b>Numeric Operators</b></div><div class="separator" style="clear: both; text-align: left;"> Make sure you know how to calculate a simple math! </div><div class="separator" style="clear: both; text-align: left;">The example below shows that <b>pic_id </b>is vulnerable to SQLi</div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiu4RJQcRIIiosGUmZYdAj5gMmVske4D1CTJRIW1wPgdOav89IqW8qfNuq4NOYLonzWzD6v9lh_56gOSNX73ro-JopIhe8Lv1wGspl8_j7w8HYUWm3rt1-CxmjpDOKcZ84h9cYn5_GIWlc/s1600/b1.png" imageanchor="1"><img border="0" height="476" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiu4RJQcRIIiosGUmZYdAj5gMmVske4D1CTJRIW1wPgdOav89IqW8qfNuq4NOYLonzWzD6v9lh_56gOSNX73ro-JopIhe8Lv1wGspl8_j7w8HYUWm3rt1-CxmjpDOKcZ84h9cYn5_GIWlc/s640/b1.png" width="577" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMXUrDNrxWv0fZaq58F88lDFA4zSkTreiNBLWBV25T1A2helfCbSsu-4858TOpo7A3qFgBYVQNlbIXynryjuHhgwJukJWxqAiY5pRgcekBQHzS-lrp0qFEQxgxMjRwqbSo__xOrv3Uvpk/s1600/b2.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="456" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMXUrDNrxWv0fZaq58F88lDFA4zSkTreiNBLWBV25T1A2helfCbSsu-4858TOpo7A3qFgBYVQNlbIXynryjuHhgwJukJWxqAiY5pRgcekBQHzS-lrp0qFEQxgxMjRwqbSo__xOrv3Uvpk/s640/b2.png" width="577" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Normal page loaded. Because the condition is true. <b>1=1 </b>is <b>TRUE</b></td></tr></tbody></table><br /><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGWapGHIcpgpLbq_G-iIXz9k9xsLxwzqBrqQDaKa65rT53TWByzd7jIn1f-WOp_u7LgMoSPG0qtD5dtFlQTgZj9o8GHfA9OAiaehI7a1rGAecOMRNVpqjtoSAJ6jGhp7tllAukjdsRNM8/s1600/b3.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="456" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGWapGHIcpgpLbq_G-iIXz9k9xsLxwzqBrqQDaKa65rT53TWByzd7jIn1f-WOp_u7LgMoSPG0qtD5dtFlQTgZj9o8GHfA9OAiaehI7a1rGAecOMRNVpqjtoSAJ6jGhp7tllAukjdsRNM8/s640/b3.png" width="577" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">The <i>admin</i> word is missing. This shows a FALSE condition since <b>1=2 </b>is <b>FALSE</b>.</td></tr></tbody></table><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgplSSmDydY7M19NQFFO2bORGlZ8lPY6eq1wskNaQ90PMQU0yrUvFl6VwsVzgNjAnoWZcNPAwJGNhagm6NV32rwgoq2DxI5PbMiPZtKZ3MQ0dGFETdEESoApKznrgKrdgaG2PU1AwaRdWM/s1600/b4.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="456" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgplSSmDydY7M19NQFFO2bORGlZ8lPY6eq1wskNaQ90PMQU0yrUvFl6VwsVzgNjAnoWZcNPAwJGNhagm6NV32rwgoq2DxI5PbMiPZtKZ3MQ0dGFETdEESoApKznrgKrdgaG2PU1AwaRdWM/s640/b4.png" width="577" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Another way is by using simple calculation. The current page loaded fine on <b>pic_id=13</b>.</td></tr></tbody></table><br /><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXT8WbNPqR3FdmZ0fOxCYipFzOGjUSmAqJ48NQMAflUsrkmv5gKm9qpvpuX0qX8FTH4316n71jnyHPkJbFPyGv_61gXIZ49JrjSLqSeFhdD9uyq8ZEhPtPIEWWoULWszI7k4mw3eLx3BE/s1600/b5.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="456" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXT8WbNPqR3FdmZ0fOxCYipFzOGjUSmAqJ48NQMAflUsrkmv5gKm9qpvpuX0qX8FTH4316n71jnyHPkJbFPyGv_61gXIZ49JrjSLqSeFhdD9uyq8ZEhPtPIEWWoULWszI7k4mw3eLx3BE/s640/b5.png" width="577" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">The page loaded fine but it shows another page. This is because we added <b>1 </b>in the <b>pic_id </b>where it'll become 13+1=14 so the page will loaded the <b>pic_id=14</b><br /><br /><div style="text-align: left;">Here are some other method under this technique.</div></td></tr></tbody></table><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggsW8zwn3WyMrNu08U7wweKJHtoe_Z6xLcICqEmqt32iasDNuUTNmb0OTg1Of1T_3QSEZMnsCdJjf6dnNqdZO4exKpXAsWS9xGVa8e94ZhXi0_kF9j555KboiXqLfSML_VkhH7TQ0J5Wk/s1600/b6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="113" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggsW8zwn3WyMrNu08U7wweKJHtoe_Z6xLcICqEmqt32iasDNuUTNmb0OTg1Of1T_3QSEZMnsCdJjf6dnNqdZO4exKpXAsWS9xGVa8e94ZhXi0_kF9j555KboiXqLfSML_VkhH7TQ0J5Wk/s640/b6.png" width="577" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: left;">Next, we want to inject it! But how?</div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;"><b>i. <u>Common technique</u></b></div><blockquote class="tr_bq">id=1 and 1=1</blockquote><blockquote class="tr_bq">id=1 and <b>(put our sql query here)=(put our expectation here)</b></blockquote>as  example we want to query the current version,<br /><blockquote class="tr_bq">id=1 and substring(@@version,1,1)=4</blockquote>so, if the current MySQL version used by the website started with <b>4</b> the page will load normally (TRUE condition) else the page will be error/blank (FALSE condition)<br /><br />Example as below<br /><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhiLUujfTKBGqPANakIUebenXGzBeh951mi9LHRFi-CdUfCrel3TLGVfqU6ERr9DesDYn9nrWpsn3DztiqYOumoTPmjqopbnZKe0V4xo75HM0BhewJC71Xxkvfir_SSTdQAXPBrlr8Q3UQ/s1600/c1.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="456" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhiLUujfTKBGqPANakIUebenXGzBeh951mi9LHRFi-CdUfCrel3TLGVfqU6ERr9DesDYn9nrWpsn3DztiqYOumoTPmjqopbnZKe0V4xo75HM0BhewJC71Xxkvfir_SSTdQAXPBrlr8Q3UQ/s640/c1.png" width="577" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Testing if the MySQL used is version 4.*. Page error,shows that the website is not using that version.</td></tr></tbody></table><br /><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQ6bHj6S2l9bhEFW2WzM7iqaH7uVTVcXG0VnsUS4Pc0pUtdw0QtYjf31pHWmhBjOwmaWtSGfDvqXrFmj2hdJG1dafdnYWmYUiG7MRSXvUJxfDkNqZ1RSlC-J-DdpAaVeagdP9e7zcAA5o/s1600/c2.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="456" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQ6bHj6S2l9bhEFW2WzM7iqaH7uVTVcXG0VnsUS4Pc0pUtdw0QtYjf31pHWmhBjOwmaWtSGfDvqXrFmj2hdJG1dafdnYWmYUiG7MRSXvUJxfDkNqZ1RSlC-J-DdpAaVeagdP9e7zcAA5o/s640/c2.png" width="577" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Testing if the MySQL used is version 5.*. Page loaded fine,shows the current version used is 5.*</td></tr></tbody></table><br /><b>ii. <u>Using a Case statement</u></b><br /><blockquote class="tr_bq">id=1 and 1</blockquote><blockquote class="tr_bq">id=1 and (CASE when (our sql query here) THEN 1 else 0 END)</blockquote>If the query is TRUE,it'll resulting 1 where 1 is TRUE condition. Else, it'll resulting 0 where 0 is FALSE condition.<br /><br /><div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMNBdH7EIorbh5nF60ruclFSMsE2cUVM-PshOe3432pEtwomjWi0AflDlgO9IrXz6glXknl7_-8DxIez-WvO1UOxPPn8hBfwhxdvnFqe7zEfVUp1TNahbQKCW2ngl_pmvqV4zULiUAGzE/s1600/d2.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="456" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMNBdH7EIorbh5nF60ruclFSMsE2cUVM-PshOe3432pEtwomjWi0AflDlgO9IrXz6glXknl7_-8DxIez-WvO1UOxPPn8hBfwhxdvnFqe7zEfVUp1TNahbQKCW2ngl_pmvqV4zULiUAGzE/s640/d2.png" width="577" /></a></td></tr><tr><td class="tr-caption" style="font-size: 12.727272033691406px;">1=2 is wrong,so it'll resulting 0,FALSE.<br /><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEie63ui-7VJt6f6p4xLmtGVuGRZ6Xer7ho5vWSB10hVXxjAFVJmbAa8wKKvudPsqMTeW7Bb1e_vRAytMWou3yT6bZcUZg-ZN2h6p82KswaDZ_K778tO5fcgtBAYvF-UyDTGZC56MTVEYPk/s1600/d1.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="456" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEie63ui-7VJt6f6p4xLmtGVuGRZ6Xer7ho5vWSB10hVXxjAFVJmbAa8wKKvudPsqMTeW7Bb1e_vRAytMWou3yT6bZcUZg-ZN2h6p82KswaDZ_K778tO5fcgtBAYvF-UyDTGZC56MTVEYPk/s640/d1.png" width="577" /></a></td></tr><tr><td class="tr-caption" style="font-size: 12.727272033691406px;">1=1 is correct,so it'll resulting 1,TRUE.<br /><div style="text-align: left;"><br /></div></td></tr></tbody></table></td></tr></tbody></table></div><div><b>iii. <u>Time Based</u></b></div><div><br />I will explain the time based technique in his my upcoming guest post on<a href="http://www.rafayhackingarticles.net/" target="_blank"> RHA</a>. </div><div>and there are more techniques in SQLi out there. This just a basic way to detect Blind SQLi based on my knowledge and experience. Do have some read and research on them as well. You might find a new way on exploiting, who knows right? :D</div><div><br /></div><div>That's all guys!</div><div><b><br /></b></div><div><b>About The Author</b><br /><b><br /></b>Yappare is a web application security Professional, He has been listed in lots of hall of fames and has found lots of high risk vulnerabilities inside lots of CMS platforms. You can follow him on @yappare</div></div>

Blind SQL Injection - Detection And Exploitation

In our previous post " SQL Injection Basics - Union Based ", I explained the basic technique not only to find detect sql injection...

+ Read more »

OWASP TOP 10 Security RISKS For 2013

<div dir="ltr" style="text-align: left;" trbidi="on"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4hlU_J-hMfT2LTZdTSPg6hlVxogeLLLRxwXpOW1qMIBCHdzq0tcBwfpolE_Rxlys6JQ9DVFmmWsXrl4mCe6mZvmVYlbQ7WHuxCVkKmRliaZ3qSh2vrtTXfhhmSyWBJ_0bkmYdrLf_xSI/s1600/images.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="142" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4hlU_J-hMfT2LTZdTSPg6hlVxogeLLLRxwXpOW1qMIBCHdzq0tcBwfpolE_Rxlys6JQ9DVFmmWsXrl4mCe6mZvmVYlbQ7WHuxCVkKmRliaZ3qSh2vrtTXfhhmSyWBJ_0bkmYdrLf_xSI/s640/images.jpg" width="577" /></a><br /><br /><br /><br /><br />The <b>OWASP</b> or the Open Web Application Security Project's "<b><u>top 10</u></b>" has been designed to raise awareness about crucial security threats faced by organisations. The data is based on 8 companies specialising in application security out of which 4 are consulting firms and the rest are tool vendors.<br /><a name='more'></a><br />The top 10 are selected on the basis of exploitability, detectability and impact estimate from over 500,000 vulnerabilities spanning over hundreds of organisations and thousands of applications. The purpose of which is to educate developers, designers, architects, managers and organisations regarding web application security weaknesses.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTYOeZY-WU6SE1Wivh-v9f0sPFuWxSGpWV4IEXmf55O-C5esougZdf9dwIUM90I1JA7ZHniB9CHpeRLtgt4_LUVfT0fCt9fnurZ1lNeccpDSUMYQcvVMInx2mqN2EsJI5ZUiovhcZlqnA/s1600/X.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTYOeZY-WU6SE1Wivh-v9f0sPFuWxSGpWV4IEXmf55O-C5esougZdf9dwIUM90I1JA7ZHniB9CHpeRLtgt4_LUVfT0fCt9fnurZ1lNeccpDSUMYQcvVMInx2mqN2EsJI5ZUiovhcZlqnA/s640/X.jpg" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div>The significance of the top 10 project is to understand what web applications can be prone to. OWASP provides additional information regarding these vulnerabilities that help the reader to prevent and combat such risks.<br /><br />Cheers!<br /><br /><b>About the Author:</b><br />This article is written by Dr.Sindhia Javed Junejo. She is one of the core members of RHA team.<br /><div class="MsoNormal"><b style="background-color: #333333; color: #cccccc; font-family: Arial, sans-serif; font-size: 13px; line-height: 16px;"></b></div></div>

OWASP TOP 10 Security RISKS For 2013

The OWASP or the Open Web Application Security Project's " top 10 " has been designed to raise awareness about crucial securi...

+ Read more »

Adobe Zero Day - How To Protect Yourselves?

<div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqIuWR3nasw5v_fAK1SouL2fsd5Up_-PP3z9270fFm-Yu9OyzRuyeqcm5IAc0H17N4NpyRY7u8_o-ZBhYMoJNQ9vfmWuqc1kIc5-7znBwKfL3j5UOlzk3n2ZhRsoezLLltG5laqPTsjh0/s1600/adobe.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqIuWR3nasw5v_fAK1SouL2fsd5Up_-PP3z9270fFm-Yu9OyzRuyeqcm5IAc0H17N4NpyRY7u8_o-ZBhYMoJNQ9vfmWuqc1kIc5-7znBwKfL3j5UOlzk3n2ZhRsoezLLltG5laqPTsjh0/s400/adobe.png" width="400" /></a></div><div>A couple of hours ago, we wrote a detailed blog on <a href="http://www.rafayhackingarticles.net/2013/02/adobe-zero-day-malware-stripped-by.html" rel="nofollow" target="_blank"><b>Adobe's Zero-Day</b></a> malware, found by Fireeye and investigated by Sophos Lab. The malware consisted of an exploit to hack Adobe Reader and Adobe Acrobat softwares. The recent upgrades of the two softwares have found to be insufficient in providing security to the PC running them. The exploits remain unlatched (as for now) and the user vulnerable.</div><div><br /></div><div>Adobe is doing its part and has begun by issuing a <a href="https://www.adobe.com/support/security/advisories/apsa13-02.html" rel="nofollow" target="_blank"><b>formal bulletin</b></a> offering its users advice on the matter:<br /><a name='more'></a></div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEcu_6zLf_KzAzmsRt8UV6Lajj2WqF_2LXtIArXdkzLHl1u5EizbybrxZgK_ZSJeQvpaQzQVyNPECn2GCo4t4IqXLvyDCPAaMn7V9LEsTdIvBA6Zp8R3G6s7C5CItDR2Ok7KLAwT45PiQ/s1600/adobe1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="242" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEcu_6zLf_KzAzmsRt8UV6Lajj2WqF_2LXtIArXdkzLHl1u5EizbybrxZgK_ZSJeQvpaQzQVyNPECn2GCo4t4IqXLvyDCPAaMn7V9LEsTdIvBA6Zp8R3G6s7C5CItDR2Ok7KLAwT45PiQ/s400/adobe1.png" width="400" /></a></div><div><br /></div><div><blockquote style="background-color: white; border: 0px; color: #333333; font-family: arial, helvetica, sans-serif; font-size: 15px; line-height: 16px; margin: 1em 40px; padding: 0px; text-align: left; vertical-align: baseline;"><div style="background-color: transparent; border: 0px; line-height: normal; margin-bottom: 10px; padding: 0px; text-align: center; vertical-align: baseline;"><tt style="background-color: transparent; border: 0px; font-family: courier, monospace; font-size: 14px; margin: 0px; padding: 0px; vertical-align: baseline;">Adobe has identified critical vulnerabilities (CVE-2013-0640, CVE-2013-0641) in Adobe Reader and Acrobat XI (11.0.01 and earlier), X (10.1.5 and earlier) and 9.5.3 and earlier for Windows and Macintosh. These vulnerabilities could cause the application to crash and potentially allow an attacker to take control of the affected system.</tt></div></blockquote><blockquote style="background-color: white; border: 0px; color: #333333; font-family: arial, helvetica, sans-serif; font-size: 15px; line-height: 16px; margin: 1em 40px; padding: 0px; text-align: left; vertical-align: baseline;"><div style="background-color: transparent; border: 0px; line-height: normal; margin-bottom: 10px; padding: 0px; text-align: center; vertical-align: baseline;"><tt style="background-color: transparent; border: 0px; font-family: courier, monospace; font-size: 14px; margin: 0px; padding: 0px; vertical-align: baseline;">Adobe is aware of reports that these vulnerabilities are being exploited in the wild in targeted attacks designed to trick Windows users into clicking on a malicious PDF file delivered in an email message.</tt></div></blockquote><blockquote style="background-color: white; border: 0px; color: #333333; font-family: arial, helvetica, sans-serif; font-size: 15px; line-height: 16px; margin: 1em 40px; padding: 0px; text-align: left; vertical-align: baseline;"><div style="background-color: transparent; border: 0px; line-height: normal; margin-bottom: 10px; padding: 0px; text-align: center; vertical-align: baseline;"><tt style="background-color: transparent; border: 0px; font-family: courier, monospace; font-size: 14px; margin: 0px; padding: 0px; vertical-align: baseline;">Adobe is in the process of working on a fix for these issues and will update this advisory when a date for the fix has been determined.</tt></div></blockquote></div><h3 style="text-align: left;">Assess If You Are Being Attacked</h3><div><br /></div><div>If you are being attacked by the exploit, you may not realise it for a while. It's not an obvious attack as is the case with many malwares that are found today. The exploit basically takes over Readers using it to inject malware into your PC and reloads Reader with a clean PDF that doesn't look suspicious at all and does not function in an unexpected way. The user is therefore, at ease at what he sees on his PC not doubting it for a second.</div><div><br /></div><h3 style="text-align: left;">Brace Yourself</h3><div><br /></div><div>Windows and Mac users are susceptible to such an exploit. It affects Reader and Acrobat, versions 9, X (10) and XI (11).</div><div><br /></div><div>Windows users can defend themselves by first upgrading to version XI. Make sure that you do not opt to download the optional software (in this case, Google Chrome and Chrome toolbar) along with the update.</div><div><br /></div><div>To protect yourself from the attack switch Protected View on:</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQ9S-qyTji6XySa25KMRUNn6F8ciOaOdDXGC3Om4SLGDpvYcJwmjTbtmJ_en3o65F0GJWEXm7rR7xHfic7POAwtfDAQROGyUwwDGj-A7iinQ8mE1OehkbRIrYhvkH92O83bDMoRPKktgI/s1600/adobe3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQ9S-qyTji6XySa25KMRUNn6F8ciOaOdDXGC3Om4SLGDpvYcJwmjTbtmJ_en3o65F0GJWEXm7rR7xHfic7POAwtfDAQROGyUwwDGj-A7iinQ8mE1OehkbRIrYhvkH92O83bDMoRPKktgI/s400/adobe3.png" width="386" /></a></div><div><br /></div><div>In addition to a dependable anti-virus software and a firewall along with enforced Protected View, you are less prone to be affected by this malware.</div><div><br /></div><h3 style="text-align: left;">For Mac Users</h3><div><br /></div><div>Mac users do not have a "Protected View" option. However, you can use the built-in Preview application as the default PDF viewer and avoid using Adobe. You can still load and use Reader but on your own terms. By doing so, you wont be as susceptible to the attack as you would be when its running in the background without your knowledge.</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTSrKdyhBH3qsn8cRFJLV6Fi6Mv049_6BFWk3U1SQUQ12oXb-pHPrmERlZCPQufwDV4vGhlqW7FDxy1yrOHKwTNvbsskxEB1G2rY0wu_2zXph1QayJfEb2Vq5-A4iZU67zA8NQUx9AhNc/s1600/adobe4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTSrKdyhBH3qsn8cRFJLV6Fi6Mv049_6BFWk3U1SQUQ12oXb-pHPrmERlZCPQufwDV4vGhlqW7FDxy1yrOHKwTNvbsskxEB1G2rY0wu_2zXph1QayJfEb2Vq5-A4iZU67zA8NQUx9AhNc/s400/adobe4.png" width="340" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><h3 style="text-align: left;">In The End</h3><div><br /></div><div>Be careful with what you receive in your emails. Do not open attachments that you receive in your emails unless they are from a trusted sender.</div><div><br /></div><div>Cheers!</div><div><br /></div><div><b>About the Author:</b></div><div>This article is written by Dr.Sindhia Javed Junejo. She is one of the core members of RHA team.</div></div>

Adobe Zero Day - How To Protect Yourselves?

A couple of hours ago, we wrote a detailed blog on Adobe's Zero-Day malware, found by Fireeye and investigated by Sophos Lab. The malwa...

+ Read more »