just saying !!

1



security is a process and not a product.

تابع القراءة ←

LFI: beyond /proc/self/environ

0
Let’s suppose that we have a simple php application. The web app has a login form and a small news system based on txt files.
So a user can simple log into the system
1
And access the company’s internal board:
2
After looping through all the pages, one can guess that the web app is loading the content for each section from a plain text file.
3
Reviewing the code clarifies the question.
4
So at this point, an evil user could perform some local file inclusion and read files in the remote system.
5
We all know how to exploit that via the “/proc/self/environ” way and if we don’t, our friend google can help for sure.
So in thist post we’ll see some other ways to inject php code inside various files in the servers remote system.
If the remote system has the apache access.log accesible via web a hacker can inject php code inside.
6
Php code can be injected via netcat. By trying to browse and invalid page, the GET request will be stored inside the apache log file:
7
Then the attacker can call the log file and enjoy the remote code execution.
8
Various pieces of code can be executed.
9
If the remote box has ssh auth.log accesible, malicious code can be injected via SSH
10
By trying to log into the system using an invalid username, the name used will be stored inside auth.log. So the hacker can inject code that way.
11
Other scenario is presented when the remote and LFI vulnerable web application stores – not sanitized –  data inside a session file. Let’s think about some piece of code like the following:
if($user==’admin’ and $password==’admin1234′){
$_SESSION[“auth”] = 1;
foreach ($_POST as $key => $value) {
if ( substr($key, 0, 4) == ‘cms_’ ) {
$_SESSION[$key] = $value;
}
}
At this point, all post variables starting with cms_ will be included inside the session file, so an attacker can use that to inject evil code.
An attacker can use some proxy like PAROS to alter http traffic on the fly:
12
13
By altering the traffic, an attacker will be able to inject a third post variable:
14
So the attacker can include a variable called cms_whatever and inject php code inside:
15
Using PAROS, the attacker can look for the session ID.
16
And now he’s able to exploit the LFI and call the php session file
17
In a real life scenario, the attacker will include an evil file like a backdoor and gain control of the server.
A shell can be obtained using a php, perl, python or whatever reverseshell like this
18
Files can be transfered to the remote server via an HTTP server and the wget command used along with the shell_exec php function.
19
Using shell_exec in php will allow us to run system commands on the remote server.
wget
And after running the perl /tmp/ps.pl command, access is gained on the server
shell
be good!
تابع القراءة ←

SQL INJECTION INTRODUCTION

0

SQL INJECTION INTRODUCTION

SQL INJECTION INTRODUCTION--

  • SQL Injection is the most common vulnerability on the internet.
  • It is mainly flaw in the web application & not a Database or web server issue.
  • most programmer are still not aware of this threat.
What is SQL Injection ????
  • Sql injection is a technique used to take advantage of non-validate Input vulnerabilities to pass SQL commands through a web Application for execution by back-end Database.
  • In Other words,Sql injection is a basic techniques /attack used to either gain unauthorised access to a database or to retrieve information directly from the Database.
SQL Injection Attacks ----
  1.  Authentication Bypass --- Using this attacks, an attacker logs on to an application without providing valid username & password & gain the administrative privileges.
  2. Information Disclosure --- Using this attacks, an attacker obtain the sensitive Information that is stored in the database. 
  3. Compromised Data Integrity --- An attacker uses this attack to deface a webpage ,insert malicious content into webpages , or alter the content of database. 
  4. Compromised Availability of Data --- An attacker use this attack to delete the database information logs or audit information that is contained in database. 
  5. Remote code Execution --- It allows an attacker to compromise the Host O.S.
How web Application Works ----

  • The above fig. shows how the initial request is triggered by the user through the browser over the Internet to the web application server. 
  • The web application accesses the databases servers to perform the requested task updating and retrieving the information lying within the database. 
  • The web application then presents the information to the user through the browser.
Web Security Issue ----



  • web applications do raise a number of security concerns stemming from improper coding. Serious weaknesses or vulnerabilities, allow hackers to gain direct and public access to databases in order to sensitive data.
  • Many of these databases contain valuable information (e.g., personal and financial details) making them a frequent target of hackers
  • Websites and related web applications must be available 24 hours a day, 7 days a week, to provide the required service to customers, employees, suppliers and other stakeholders.
  • Firewalls and SSL provide no protection against web application hacking, simply because access to the website has to be made public – All modern database systems (e.g. Microsoft SQL Server, Oracle and MySQL) may be accessed through specific ports (e.g., port 80 and 443) and anyone can attempt direct connections to the databases effectively bypassing the security mechanisms used by the operating system. These ports remain open to allow communication with legitimate traffic and therefore constitute a major vulnerability.
  • Web applications often have direct access to back-end data such as customer databases and, hence, control valuable data and are much more difficult to secure. Those that do not have access will have some form of script that allows data capture and transmission. If a hacker becomes aware of weaknesses in such a script, he may easily reroute unwitting traffic to another location and illegitimately hive off personal details.
  • Most web applications are custom-made and, therefore, involve a lesser degree of testing than off-the-shelf software. Consequently, custom applications are more susceptible to attack.
Types  of SQL Injection ---
There are mainly TWO types of SQL injection ----
1. Simple SQL Injection 
  • Union SQL Injection
  • Error Based SQL Injection.

2.Blind SQL Injection
تابع القراءة ←

How to Create a Bootable Windows 7

0


How to Create a Bootable Windows 7 


Run Command Prompt as an administrator. To open a command prompt, go to the Start menu and search for CMD. Right-click on it and select Run as Administrator to use it with admin rights.

Using the Diskpart utility find the drive number of your flash drive. To do so, type in the following command in the command prompt: DISKPART
  • Running DISKPART will display the version of DISKPART you are running and the name of your PC.
  • Type “list disk” to see a display of all your connected disk drives. Make a note of the number assigned to your Flash drive.
# Format the drive. Execute the following list of commands one-by-one. Make sure you replace Disk 1 with the proper Disk number from DISKPART.

> list disk 

> select disk 1
> clean
> create partition primary
> select partition 1
> active
> format fs=NTFS QUICK
> assign
> exit


# Make the flash drive bootable. Use the bootsect utility that is shipped with Windows 7/Vista. To do so:
  • Insert the Windows 7/Vista DVD and note down the drive letter of the DVD drive. For this guide, the DVD drive is D: and the USB drive is G:.
  • Navigate to the directory where bootsect is found.

    D:
    cd d:\boot
  • Use the bootsect to make the USB Drive bootable. This updates the drive with BOOTMGR compatible code and prepares it to boot Windows 7/Vista.

    BOOTSECT.EXE/NT60 G:
  • Close the Command Prompt windows.

# Last step : go to the file where windows file exist and copy all the files to USB drive 

تابع القراءة ←

Column Truncation SQL Injection Vulnerability

0

Introduction


Some time back I was in NotSoSecure CTF competition, challenge was to use SQL injection(any kind) for obtaining 2 flags, to capture one flag, users were required to register as an admin. The application was vulnerable to column truncation sql injection vulnerability. column truncation sql injection vulnerability is a very interesting vulnerability, its actually a buffer overflow vulnerability, O yeah you heard me. You might think I have gone insane, because usually buffer overflow is related to system exploitation.Part of it is true, but this vulnerability is on Web applications, and amazingly was found on a most popular blogging platform WordPress.



Column truncation sql injection vulnerability description

This vulnerability arises when application’s structural logic mismatches with the database structural logic. When Database applies an input length limit and application allows input length to be of any size, this results in truncation of strings longer then the limit upon insertion into the database.Truncating strings longer then the limit allowed in the database is default behaviour, though it will emit a warning, but that warning won’t have any impact. So how is it a security vulnerability?



Lets take an example.

On a website , Users are allowed to register with any username (other then the ones that are already taken)
Application has no limit on the length of username
Database column username length limit is 20 Chars.
Mysql is in Default configuration
Explaination
Now if a user tries to register as “admin”, it won’t be registered because “admin” is already taken. What if the user tries to register with “admin “. It won’t get registered because trailing spaces after “n” will be ignored due to relaxation in string comparisons, however if MySQL does binary comparisons of strings, things would have been different because it will compare the strings byte by byte which makes heading or trailing spaces significant, but by default and in most cases, binary collation is not used.Binary collation(Collation defines a set to rules in MySQL for comparisons) should be used specially to get accurate results or case sensitive, cross language chars/strings comparisons. Some applications like in case of WordPress column truncation sql injection vulnerability , it used Trim() function on user login which removes leading and trailing spaces.

Now what if a user tries to register with this name “admin               x” , total chars 21, but the column limit is 20, so the last “x” will get truncated, then the spaces will get removed, so “admin” will be inserted into the database along with the password the user will provide during registration. Hence gaining the admin’s privileges.



Indeed a very interesting vulnerability 

تابع القراءة ←

Configure your Gmail in Outlook

0




Configure your G-mail in Outlook



  1. Login  to your gmail and got to settings.
  2. Under 'Forwarding and POP/IMAP', enable both POP3 and IMAP.
  3. Now open your Outlook.
  4. Add new account and put all the required information.
  5. Put your incoming mail server as pop.gmail.com
  6. Put your outgoing mail server as smtp.gmail.com
  7. Click on the 'More Settings' as you need to enable few things.
  8. At the 'Outgoing Server' tab, tick on "My outgoing server" and "use the same settings as my incoming mail server"
  9. Then go to 'Advance' tab, Put the incoming server port as 995 and outgoing server as 465 with SSL connection. 
  10. Save and try your connection. It should works! :)
تابع القراءة ←

UnAuthorized Access to Facebook Global Business Solutions Email Preferences

0


Hello guys,

Today i will share my experience with Facebook company with you, it’s about opening the “Facebook Global Business Solutions Email Preferences” for any user using Facebook on-line services.


But at first i have to active this settings by signing up for any facebook newsletter with my email address “diaa.diab.2012@gmail.com” for example: i will use the form on “atlassolutions.com”.



Now i am on the ‘Facebook Global Business Solutions Email Preferences’ for recieving any newsletter about the following:

Weekly News for Businesses.
Facebook News.
Facebook Regional Small Enterprise News.
News for Preferred Marketing Developers.
Facebook IQ.
Facebook News for Verticals.
Atlas Newsletter.
Audience Network.

I already started to use the emails services for the Business Solution on facebook and i recieved emails like this.





At the bottom of these emails i found the link to subscribe me from receiving such these emails.
fff-2
fff-1








And by executing the link “www.facebook.com/business/unsubscribe/?eid=8a0f32986a7ba7b635ffaea220d04ebb&cid=775114969220192” i found myself on the next page.







You see the ” Preference Center” anchor tag on the page, by clicking on it i found myself on the all settings related to ‘Facebook Global Business Solutions Email Preferences’ for the “diaa.diab.2012@gmail.com” email.
“www.facebook.com/business/subscriptions/?eid=8a0f32986a7ba7b635ffaea220d04ebb


got




Now i retrieved the settings related to the “diaa.diab.2012@gmail.com” user with just one parameter “eid“, This mean that if i can get how facebook built this value “8a0f32986a7ba7b635ffaea220d04ebb“, i can make the same for another emails.
This value seems md5 (not sure yet) but let’s try to break the hash to see if we can do it or not, The idea is how the back-end developer built this hash?!!
  • Random Value => md5(value)
  • Value from user => md5(value)
  • Value from user + salt => md5(value)
But there are cases that we will can not be able to break the hash (Random and Sult) but i tried to break the hash by brute-forcing it with the common strings i used on all web sites with the next simple python script.


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
#! /usr/bin/env python
 
import hashlib
import sys
 
def main():
    if len(sys.argv) < 2:
        print "[ + ] Usage: %s <hash>" % sys.argv[0]
        exit(0)
 
    commonStrings = [
        "Diaa",
        "Diab",
        "Mohammad",
        "test",
        "7amama",
        "sos",
        "lolo",
        "hacked",
        "try",
        "a_diaa_2007@yahoo.com",
        "secgeek",
        "lnxg33k",
        "diaa.diab.2012@gmail.com",
        "dia2diab@yandex.com",
        "dia2diab@yahoo.com"
        ]
 
    for i in commonStrings:
        if hashlib.md5(i).hexdigest() == sys.argv[1]:
        print "[ + ] OK i got it."
        print "[ + ] The hash value [ %s ] is the md5 of [ %s ]." % (sys.argv[1], i)
        exit(0)
    print "[ ! ] The hash not found on your own list."
 
if __name__ == "__main__":
    main()



And here is the surprise for me.




shell






Python told me that the facebook retrieved your settings using the md5 hash of your email.
md5(“diaa.diab.2012@gmail.com”) == 8a0f32986a7ba7b635ffaea220d04ebb
So let’s retrieve the settings for another users using the following form:

g
gg














Thank You
Copy Right @ Diaa



تابع القراءة ←
الاشتراك في: الرسائل (Atom)
;